javascript - What padding does window.crypto.subtle.encrypt use for AES-CBC - Stack Overflow

admin管理员组

文章数量:1361787

I am currently using the web crypto API found in window.crypto.subtle.encrypt in Javascript. My question is, what padding does this use by default? I have been searching for a while but couldn't find any answers on this.

I am currently using the web crypto API found in window.crypto.subtle.encrypt in Javascript. My question is, what padding does this use by default? I have been searching for a while but couldn't find any answers on this.

• javascript
• encryption

Share Improve this question Follow edited Feb 18, 2019 at 11:26 Liam 29.8k2828 gold badges139139 silver badges203203 bronze badges asked Feb 18, 2019 at 11:19 TachyonTachyon 2,42133 gold badges2424 silver badges5050 bronze badges 4

• 1 The developer docs from Mozilla do not provide insight into the padding mode used with AES-CBC. I am implementing this in an Ionic mobile app so it won't be running in a browser :) – Tachyon Commented Feb 18, 2019 at 11:27
• I don't know the answer to this but I'd imagine it'll be buried in the spec somewhere. I've had a quick scan though it but I can't spot it. – Liam Commented Feb 18, 2019 at 11:35
• can be padded under a variety of padding schemes, again not sure how helpful this is – Liam Commented Feb 18, 2019 at 11:37
• and here's how the padding is added. So if I'm reading this correctly, it's 16 bytes padded at the trailing end. Though I always find this things difficult to follow so happy to be corrected – Liam Commented Feb 18, 2019 at 11:41

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 10

Subtle.encrypt seems to be implementing WebCrypto. Although the documentation of encrypt() or the CBC mode of e.g. Mozilla doesn't show the padding. Nor does the referenced NIST specification.

Fortunately, the referenced WebCrypto API does indicate the padding where the CBC mode is specified:

When operating in CBC mode, messages that are not exact multiples of the AES block size (16 bytes) can be padded under a variety of padding schemes. In the Web Crypto API, the only padding mode that is supported is that of PKCS#7, as described by Section 10.3, step 2, of [RFC2315].

If you follow the link then you will find that PKCS#7 is the specification of the Cryptographic Message Syntax or CMS. However, there is only one padding mode specified. This mode doesn't have a more specific name than PKCS#7 padding (padding algorithms for ECB and CBC are very simple and therefore often don't get a specific name).

---

Simply said, it adds 1 to 16 bytes for ciphers with a block size of 128 bits such as AES. The bytes values are identical to the number of bytes padded, so you can unpad by removing as many bytes as the last byte indicates. Because of this the padding is always applied, even if the last part of the plaintext is plete (in which case 16 bytes of padding is applied).

So you'd have

10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 // empty, zero byte message
PT 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F // PT means plaintext byte
PT PT 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E // byte values in hexadecimals
...

PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 01 // 15-byte message
// 16-byte message, one full block of padding added
PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT PT 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 
...
...

Note that padding should not be used to verify the correctness of the plaintext, that padding oracle attacks (use an authenticated mode such as GCM instead!), that padding values may not all be verified (the last byte contains enough info to unpad) and finally that you should use an implementation that does verify that the padding byte is within the indicated range.

Also note that PKCS#7 padding for AES is sometimes mistakenly (or lazily) referred to as PKCS#5 padding, for instance in the Java JCA.

本文标签： javascriptWhat padding does windowcryptosubtleencrypt use for AESCBCStack Overflow