最近在研究AES 算法,针对AES 中几种填充模式不是特别的理解,
为此博主专门找了几篇文章研究这件事,特此记录如下:
https://www.cnblogs.com/midea0978/articles/1437257.html
Padding 的意义;
文章来源 http://www.w3.org/TR/xmlenc-core/#sec-Alg-Block
5.2.1 Padding
Since the data being encrypted is an arbitrary number of octets, it may not be a multiple of the block size. This is solved by padding the plain text up to the block size before encryption and unpadding after decryption. The padding algorithm is to calculate the smallest non-zero number of octets, say N
, that must be suffixed to the plain text to bring it up to a multiple of the block size. We will assume the block size is B
octets so N
is in the range of 1 to B
. Pad by suffixing the plain text with N-1
arbitrary pad bytes and a final byte whose value is N
. On decryption, just take the last byte and, after sanity checking it, strip that many bytes from the end of the decrypted cipher text.
For example, assume an 8 byte block size and plain text of 0x616263
. The padded plain text would then be 0x616263????????05
where the "??" bytes can be any value. Similarly, plain text of 0x2122232425262728
would be padded to0x2122232425262728??????????????08
.
Alg. Name | Description |
---|---|
NoPadding | No padding. |
ISO10126Padding | This padding for block ciphers is described in 5.2 Block Encryption Algorithms in the W3C's "XML Encryption Syntax and Processing" document. |
OAEPPadding, OAEPWith<digest>And<mgf>Padding | Optimal Asymmetric Encryption Padding scheme defined in PKCS1, where <digest> should be replaced by the message digest and <mgf> by the mask generation function. Examples: OAEPWithMD5AndMGF1Padding and OAEPWithSHA-512AndMGF1Padding. If OAEPPadding is used, Cipher objects are initialized with ajavax.crypto.spec.OAEPParameterSpec object to suppply values needed for OAEPPadding. |
PKCS1Padding | The padding scheme described in PKCS1, used with the RSA algorithm. |
PKCS5Padding | The padding scheme described in RSA Laboratories, "PKCS5: Password-Based Encryption Standard," version 1.5, November 1993. |
SSL3Padding | The padding scheme defined in the SSL Protocol Version 3.0, November 18, 1996, section 5.2.3.2 (CBC block cipher): block-ciphered struct {
opaque content[SSLCompressed.length];
opaque MAC[CipherSpec.hash_size];
uint8 padding[
GenericBlockCipher.padding_length];
uint8 padding_length;
} GenericBlockCipher; The size of an instance of a GenericBlockCipher must be a multiple of the block cipher's block length. The padding length, which is always present, contributes to the padding, which implies that if: sizeof(content) + sizeof(MAC) % block_length = 0, padding has to be (block_length - 1) bytes long, because of the existence ofpadding_length . This make the padding scheme similar (but not quite) to PKCS5Padding, where the padding length is encoded in the padding (and ranges from 1 to block_length). With the SSL scheme, the sizeof(padding) is encoded in the always present padding_length and therefore ranges from 0 to block_length-1. |
简单对比之下发现,通用的有None,ISO10126两种填充法,实际上PKCS5Padding与PKCS7Padding基本上也是可以通用的。
通过研读参考资料下面的参考资料可以发现两者定义的区别:
[ Def] PKCS #7: Cryptographic Message Syntax Standard,An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993. http://www.cnblogs.com/midea0978/admin/ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc[ Inf] PKCS #5: Password-Based Encryption Standard,
An RSA Laboratories Technical Note, Version 1.5. Revised November 1, 1993. http://www.cnblogs.com/midea0978/admin/ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
在PKCS5Padding中,明确定义Block的大小是8位,而在PKCS7Padding定义中,对于块的大小是不确定的,可以在1-255之间(块长度超出255的尚待研究),填充值的算法都是一样的:
value=k - (l mod k) ,K=块大小,l=数据长度,如果l=8, 则需要填充额外的8个byte的8