window.crypto.subtle.encrypt对AES-CBC使用什么填充 [英] What padding does window.crypto.subtle.encrypt use for AES-CBC

问题描述

我当前正在使用Java的 window.crypto.subtle.encrypt 中的网络加密API.我的问题是，默认情况下会使用什么填充?我已经搜索了一段时间，但找不到任何答案.

I am currently using the web crypto API found in window.crypto.subtle.encrypt in Javascript. My question is, what padding does this use by default? I have been searching for a while but couldn't find any answers on this.

推荐答案

Subtle.encrypt 似乎正在实现WebCrypto.虽然 encrypt()的文档或CBC模式例如Mozilla不显示填充.引用的NIST规范也没有.

Subtle.encrypt seems to be implementing WebCrypto. Although the documentation of encrypt() or the CBC mode of e.g. Mozilla doesn't show the padding. Nor does the referenced NIST specification.

幸运的是，引用的WebCrypto API 确实指示填充指定CBC模式的地方:

Fortunately, the referenced WebCrypto API does indicate the padding where the CBC mode is specified:

在CBC模式下操作时，可以使用各种填充方案填充不是AES块大小(16字节)精确倍数的消息.在Web Crypto API中，唯一受支持的填充模式是PKCS#7的填充模式，如[RFC2315]的第10.3节第2步所述.

如果您单击链接，则会发现PKCS#7是加密消息语法"或CMS的规范.但是，仅指定了一种填充模式.此模式没有比PKCS#7填充更具体的名称(用于ECB和CBC的填充算法非常简单，因此通常没有特定的名称).

If you follow the link then you will find that PKCS#7 is the specification of the Cryptographic Message Syntax or CMS. However, there is only one padding mode specified. This mode doesn't have a more specific name than PKCS#7 padding (padding algorithms for ECB and CBC are very simple and therefore often don't get a specific name).

简单地说，它为AES等块大小为128位的密码增加1到16个字节.字节值与填充的字节数相同，因此您可以通过删除最后一个字节指示的尽可能多的字节来取消填充.因此，即使明文的最后一部分是完整的，填充也会始终应用 (在这种情况下，将应用16个字节的填充).

Simply said, it adds 1 to 16 bytes for ciphers with a block size of 128 bits such as AES. The bytes values are identical to the number of bytes padded, so you can unpad by removing as many bytes as the last byte indicates. Because of this the padding is always applied, even if the last part of the plaintext is complete (in which case 16 bytes of padding is applied).

所以你会

10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 // empty, zero byte message
PT 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F // PT means plaintext byte
PT PT 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E // byte values in hexadecimals
...

PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 01 // 15-byte message
// 16-byte message, one full block of padding added
PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 
...
...

请注意，不应使用填充来验证明文的正确性，即使用填充oracle攻击(改为使用GCM之类的经过身份验证的模式！)，可能无法完全验证填充值(最后一个字节包含的信息足以unpad)，最后您应该使用一种可验证填充字节是否在指定范围内的实现.

Note that padding should not be used to verify the correctness of the plaintext, that padding oracle attacks (use an authenticated mode such as GCM instead!), that padding values may not all be verified (the last byte contains enough info to unpad) and finally that you should use an implementation that does verify that the padding byte is within the indicated range.

还要注意，AES的PKCS#7填充有时被错误地(或懒惰地)称为PKCS#5填充，例如在Java JCA中.

Also note that PKCS#7 padding for AES is sometimes mistakenly (or lazily) referred to as PKCS#5 padding, for instance in the Java JCA.

这篇关于window.crypto.subtle.encrypt对AES-CBC使用什么填充的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！