block-cipher padding-oracle padding: Updated Tue, 23 Aug 2022 14:15:23 GMT

Security of (cryptographic) padding compared to other methods for blockcompletion for block ciphers

As said in the heading, I want to know how the security of different padding methods, e.g. ANSI X.923, ISO 10126 and PKCS7, is compared to other methods to reach the needed block size, like ciphertext stealing or residual block termination. And what is about the counter mode of operation?

I heard that oracle attacks are possible if padding was applied, but have the other methods also disadvantages (except a higher complexity)? Or are there any possible ways for the problem that I forgot, that are more recommended?

Solution

The security of these schemes is all comparable, as far as I am aware. In all cases, you need to use authentication (e.g., Encrypt-then-MAC). Padding attacks are just one way that security can fail if you omit the authentication, but all of these schemes will have serious security problems if you omit the authentication. So, don't forget the authentication.

Bottom line: I don't know of any compelling security reason to choose one of these methods over any other, assuming that you are using the crypto correctly. You can choose on other grounds, e.g., interoperability, performance, ease of implementation, etc.

References

https://crypto.stackexchange.com/questions/10269