[botan-devel] PKCS5_PBKDF2::derive_key() length check

Jack Lloyd lloyd at randombit.net
Mon Apr 6 10:18:19 EDT 2015

On Sat, Apr 04, 2015 at 05:23:27AM +0000, Maricel Gregoraschko wrote:

> Also, is there a good reason why the minimum input for CTS is
> blocksize+1 rather than blocksize? There would still be no previous
> block to take ciphertext  from, but nor would it be needed, a full
> block is a full block, no? I've only looked at the implementation
> superficially. I understand we can't have less than a block, that
> would force padding through other methods. Thanks!

It seems like that would work. I wonder how other implementations
handle this?

Really though, any extensions like this to CTS mode seem pointless since
all new applications should be moving to a good AEAD mode, full stop.

And CTS mode is particularly undesirable given it is not as widely
implemented, so it doesn't even have CBC or CTR modes advantage of
easy cross-library protocol implementation. So I'm not inclined to
actually make any modification here, unless some other implementation
already supports this and so it is needed for compatability.


More information about the botan-devel mailing list