[botan-devel] PKCS5_PBKDF2::derive_key() length check

Maricel Gregoraschko maricelgregoraschko at yahoo.com
Mon Apr 6 11:03:16 EDT 2015

Also if one were to use CBC, aside from limited compatibility with other libraries, wouldn't CTS be the only mode not vulnerable to the Padding oracle attack?

      From: Maricel Gregoraschko <maricelgregoraschko at yahoo.com>
 To: Botan development list <botan-devel at randombit.net> 
 Sent: Monday, April 6, 2015 10:50 AM
 Subject: Re: [botan-devel] PKCS5_PBKDF2::derive_key() length check
Fair enough. For what it's worth, crypto++ has it (CBC_CTS) and with the same limit (blocksize+1). I also checked that it's fully compatible (i.e. encryption and decryption output the exact same data for a given key + iv pair).
I didn't see GCM in the stable Botan library version. Is there another mode you'd recommend that is implemented there?Thank you!

     From: Jack Lloyd <lloyd at randombit.net>
 To: botan-devel at randombit.net 
 Sent: Monday, April 6, 2015 10:18 AM
 Subject: Re: [botan-devel] PKCS5_PBKDF2::derive_key() length check
On Sat, Apr 04, 2015 at 05:23:27AM +0000, Maricel Gregoraschko wrote:

> Also, is there a good reason why the minimum input for CTS is
> blocksize+1 rather than blocksize? There would still be no previous
> block to take ciphertext  from, but nor would it be needed, a full
> block is a full block, no? I've only looked at the implementation
> superficially. I understand we can't have less than a block, that
> would force padding through other methods. Thanks!

It seems like that would work. I wonder how other implementations
handle this?

Really though, any extensions like this to CTS mode seem pointless since
all new applications should be moving to a good AEAD mode, full stop.

And CTS mode is particularly undesirable given it is not as widely
implemented, so it doesn't even have CBC or CTR modes advantage of
easy cross-library protocol implementation. So I'm not inclined to
actually make any modification here, unless some other implementation
already supports this and so it is needed for compatability.

botan-devel mailing list
botan-devel at randombit.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20150406/7d9f2b5c/attachment-0001.html>

More information about the botan-devel mailing list