I’m developing a USB bootloader for an embedded system and one of my requirements is that data transmission over USB should be secure(bear with me, I’m new to encryption). I’ve decided to encrypt the data with AES, but the data isn’t always in nice 16 bytes chunks so I need to pad it. It seems like PKCS7 is the standard method to use when padding data for AES (not to mention it’s pretty simple), so I think I’d like to use it.
The problem I have is, I can’t understand how PKCS7 doesn’t lose data. Let me illustrate with an example:
Imagine a 16 byte buffer to be encrypted whose last character is 0x01. Now imagine a 15 byte buffer to be encrypted…this buffer will be padded with 0x01. After both buffers are encrypted, transmitted, received, and decrypted, how does the receiver tell the difference between the buffer with padding and the buffer whose actual last character is 0x01?
I feel like I’m missing something in the PKCS7 spec. Can anyone help me understand? Thanks in advance.
Yes, you are missing a point. If the data length is a full multiple of the block length (i.e. a multiple of 16 bytes for AES), the padding will append an additional full block (of
0x10or 16) instead of nothing.So, we can always recover the length of the padding from the padding itself, since there is no “length 0 padding”.
On the downside, the encrypted data is always bigger than the plain text, by at most a full block.
(Similar padding is done for most hash functions, like SHA-1, before the actual hashing processing, so the blocked input to the actual hashing is collision-free – in some cases even a bit more than a full block is appended, since the actually hashed data ends with the original data length).