[botan-devel] Question about exceptions

Jack Lloyd lloyd at randombit.net
Fri Nov 7 10:34:09 EST 2014


On Wed, Nov 05, 2014 at 07:35:38PM +0000, Murphy, Sean wrote:

> What I'm finding is that if I take some original text, and run it
> through encrypt() that seems to work fine, I get what appears to be
> an encrypted string back.  If I decrypt() that new string, I get my
> original text back so long as encryptKey in encrypt() matches
> decryptKey in decrypt().  So far so good, I'm getting back what I
> expect when I use the same key.  But if decryptKey doesn't match
> encryptKey, the call to pipe.process_msg() in decrypt() throws a
> Decoding_Error exception with the text "PKCS7".  I had expected that
> if the keys didn't match, I would just get garbage back, not a
> thrown exception.  So am I doing something wrong?  Or am I just
> misunderstanding something?

For certain modes (like counter) you would indeed just get some
garbled data back. However CBC specifically requires a padding mode of
some kind (because CBC can only process full blocks, so with AES 16
bytes at a time). These padding modes have a specific defined format
that is checked on decryption, when you decrypt with the wrong key
obviously that format will most of the time not be met and you get an
exception. This is not foolproof though: if it turned out that
decrypting the last block had a single 1 byte as the last value, this
would be silently accepted and for the last block you'd get 15 (16-1)
garbled bytes.

Keep in mind for something like this that you'll also need a good
authentication code with your messages. As (rather unintuitively) it
turns out that if you don't, and an attacker can send you messages and
figure out which messages have invalid padding (via error messages or
timing of responses or a cache-based side channel attack) they can
often decrypt arbitrary messages. Google "padding oracle attacks" for
more on that.

Jack


More information about the botan-devel mailing list