On 18/07/13 03:27, Pierre Abbat wrote: > On Friday, July 12, 2013 16:56:47 Zooko O'Whielacronx wrote: >> No, no, we rely on the correctness of our encryption to hide all >> information about the plaintext from an attacker who doesn't know the >> encryption key. Therefore, the pad bytes are all just zero bytes, and >> we believe that this pattern gives nothing useful to the cryptanalyst. > > Encrypting padding consisting of all zero bytes creates a known-plaintext > attack. The padding should be the output of a CSPRNG whose seed is determined > by the contents of the file.
If, for the sake of argument, we're worried about known-plaintext attacks against AES-CTR mode, a solution would be to use XSalsa+AES for all encryption (https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1164). It wouldn't be necessary to complicate the padding mechanism if we added padding. -- Daira Hopwood ⚥
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tahoe-dev mailing list tahoe-dev@tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev