1

Is there a way to figure out the original size of AES/ECB decrypted binary (0x00 is not the end) data without storing it explicitly?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
andrey
  • 1,515
  • 5
  • 23
  • 39
  • 2
    It's a multiple of 16 bytes since AES is a 128-bit (16-byte) block cipher. With ECB (which you [should not use](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)), each block is encrypted independently. Other than that, there's no reliable way to know the end other than being told where the end is. – Jonathan Leffler Sep 27 '15 at 02:52

1 Answers1

4

It depends on which padding was used. The mode of operation has no influence on that other than it must not be a streaming mode. Streaming modes like CTR don't need any padding scheme.

The paddings work by filling up the plaintext up to the next multiple of the block size. Some add an additional block and some don't. There are two common padding schemes for block ciphers.

PKCS#5/PKCS#7 paddings (reliable)

The plaintext is padded with bytes that denote the number of padding bytes. The padding is always applied even if a full block of padding must be added. Since the size of the padding is encoded in the padding itself, it can be easily and reliably removed.

You can calculate the size of the data in the following way

plaintextLength = paddedLength - int(byteAtLastPosition)

You may also want to check the other int(byteAtLastPosition)-1 padding bytes whether they contain byteAtLastPosition.

Zero padding (unreliable)

The padding bytes are all 0x00 bytes. If your plaintext can end in 0x00, then you run the risk of accidentally removing plaintext bytes when removing the padding. There is no way to distinguish 0x00 bytes belonging to the padding and those belonging to the plaintext alone from the decrypted plaintext. You can however send the length of the plaintext along with the ciphertext message.

Some implementations differ whether they add a full block of padding or not when the plaintext is already a multiple of the block size, which shouldn't make a difference when removing the padding.

Other padding schemes for block ciphers

Bit padding or ISO/IEC 9797-1 Padding Method 2 (reliable)

The padding is works by adding a 1 bit followed by as many 0 bits to fill up a multiple of the block size. If working on bytes this looks like a 0x80 byte followed by 0x00 bytes. Since the start of the padding is clearly defined, it can be reliably removed.

ISO 10126 padding (reliable)

This is very similar to PKCS#7 padding with the distinction that the first to the second to last padding bytes are chosen randomly. Only the last padding byte encodes the number of padding bytes.

ANSI X.923 padding (reliable)

This is very similar to PKCS#7 padding with the distinction that the first to the second to last padding bytes are 0x00 bytes and the last padding byte encodes the number of padding bytes.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
  • When removing padding from a decrypted file **always** check that the padding conforms to the specified format. Faulty padding may indicate an incorrect decryption, or that the cyphertext file has been corrupted, either deliberately of accidentally. – rossum Sep 27 '15 at 19:33
  • Faulty padding may indicate a wrong key or a manipulated last block (for ECB/CBC). If a wrong key was used then there is still roughly a 1 in 256 chance that the padding can be successfully removed even if fully validating it. The proper way to detect changes would be to authenticate ciphertexts with an encrypt-then-MAC scheme or simply using an authenticated mode of operation like GCM. (All?) Authenticated modes are streaming ciphers so this answer doesn't apply. – Artjom B. Sep 27 '15 at 19:39
  • I'm sure I'm going further away from OP's original question with this comment, but as the topic has come close to this, I have to agree that if a person wanted to roll his or her own implementation (as opposed to using TLS or IPSec or something like that) using and checking a MAC before checking padding is a big deal. If it's a legacy system and doesn't use a MAC, then checking the padding in a time invariant way and rejecting bad padding with a completely generic error message is critical to preventing padding oracle attacks. I'm sure both posters above knew this, but for those who didn't. – WDS Sep 27 '15 at 21:28