[botan-devel] Question about exceptions

Murphy, Sean smurphy at walbro.com
Fri Nov 7 11:17:18 EST 2014


> > What I'm finding is that if I take some original text, and run it
> > through encrypt() that seems to work fine, I get what appears to be an
> > encrypted string back.  If I decrypt() that new string, I get my
> > original text back so long as encryptKey in encrypt() matches
> > decryptKey in decrypt().  So far so good, I'm getting back what I
> > expect when I use the same key.  But if decryptKey doesn't match
> > encryptKey, the call to pipe.process_msg() in decrypt() throws a
> > Decoding_Error exception with the text "PKCS7".  I had expected that
> > if the keys didn't match, I would just get garbage back, not a thrown
> > exception.  So am I doing something wrong?  Or am I just
> > misunderstanding something?
> 
> For certain modes (like counter) you would indeed just get some garbled
> data back. However CBC specifically requires a padding mode of some kind
> (because CBC can only process full blocks, so with AES 16 bytes at a time).
> These padding modes have a specific defined format that is checked on
> decryption, when you decrypt with the wrong key obviously that format will
> most of the time not be met and you get an exception. This is not foolproof
> though: if it turned out that decrypting the last block had a single 1 byte as
> the last value, this would be silently accepted and for the last block you'd get
> 15 (16-1) garbled bytes.
> 
> Keep in mind for something like this that you'll also need a good
> authentication code with your messages. As (rather unintuitively) it turns out
> that if you don't, and an attacker can send you messages and figure out
> which messages have invalid padding (via error messages or timing of
> responses or a cache-based side channel attack) they can often decrypt
> arbitrary messages. Google "padding oracle attacks" for more on that.

Thanks for the advice.  Is there a good list of the pros and cons of the different modes?  I think for our application, I'd prefer to choose a cipher/mode that just happily returns garbage back for wrong passwords, instead of throwing exceptions. 

We're just trying to lightly shield a text config file from casual prying.  If someone really wants to spend time cracking our config file, we're kind of Ok with that, but we're just trying to put a little hurdle in the way. 

Also, is there a good discussion anywhere of:
  - all the ciphers offered by Botan
  - how to properly use each one?  I've found a few examples here and there, but I'm so new to cryptography that I'm definitely out of my element at the moment!

Thanks,
Sean


More information about the botan-devel mailing list