To perform encryption with a block cipher in ECB or CBC mode the length of the input to be encrypted must be an exact multiple of the block length B in bytes. For Triple DES the block length B is 8 bytes (64 bits) and for all AES variants it is 16 bytes (128 bits). If the length of the data to be encrypted is not an exact multiple of B, it must be padded to make it so. After decrypting, the padding needs to be removed.
For other modes of encryption, such as "counter" mode (CTR) or OFB or CFB, padding is not required. In these cases the ciphertext is always the same length as the plaintext, and a padding method is not applicable.
There are many, many conventions for padding. It is up to the sender and receiver of encrypted data to agree on the convention used.
The most popular is "PKCS5" padding, described in section 6.1.1 of [PKCS5], which is the same as the padding method in section 6.3 of [CMS], section 10.3 of [PKCS7] and para 1.1 of [RFC1423].
If the block length is B then add N padding bytes of value N to make the input length
up to the next exact multiple of B.
If the input length is already an exact multiple of B then add B bytes of value B.
Thus padding of length N between one and B bytes is always added in an unambiguous manner.
After decrypting, check that the last N bytes of the decrypted data all have value N with
1 < N ≤ B
.
If so, strip N bytes, otherwise throw a decryption error.
Examples of PKCS5 padding for block length B = 8:
3 bytes: FDFDFD --> FDFDFD0505050505 7 bytes: FDFDFDFDFDFDFD --> FDFDFDFDFDFDFD01 8 bytes: FDFDFDFDFDFDFDFD --> FDFDFDFDFDFDFDFD0808080808080808
For "OneAndZeroes" Padding add a byte of value 0x80 followed by as many zero bytes as is necessary to fill the input to the next exact multiple of B. Like PKCS5 padding, this method always adds padding of length between one and B bytes to the input before encryption. It is easily removed in an unambiguous manner after decryption.
The "OneAndZeroes" term comes from the fact that this method appends a 'one' bit to the input followed by as many 'zero' bits as is necessary.
The byte 0x80 is 10000000
in binary form. Note the spelling of "Zeroes", which is what everyone else seems to use.
Examples of OneAndZeroes padding for block length B = 8:
3 bytes: FDFDFD --> FDFDFD8000000000 7 bytes: FDFDFDFDFDFDFD --> FDFDFDFDFDFDFD80 8 bytes: FDFDFDFDFDFDFDFD --> FDFDFDFDFDFDFDFD8000000000000000
If N padding bytes are required (1 < N ≤ B
) set the last byte as N
and all the preceding N-1
padding bytes as zero.
Examples of AnsiX923 padding for block length B = 8:
3 bytes: FDFDFD --> FDFDFD0000000005 7 bytes: FDFDFDFDFDFDFD --> FDFDFDFDFDFDFD01 8 bytes: FDFDFDFDFDFDFDFD --> FDFDFDFDFDFDFDFD0000000000000008
As described in section 5.2.1 of the W3C Recommendation for XML encryption [XMLENC].
If N padding bytes are required (1 < N ≤ B
) set the last byte as N
and the preceding N-1
padding bytes as arbitrary byte values.
We include this method for completeness. It is similar to ISO10126 padding. This method is not recommended since only one padding byte is ever checked when decrypting and this opens up security vulnerabilities. Note we actually use PKCS5 padding when encrypting, which is valid because the other padding bytes are specified as "arbitrary" and using N is just as arbitrary as any other value, isn't it?
Examples of W3C padding for block length B = 8, where 'xy' is an arbitrary byte:
3 bytes: FDFDFD --> FDFDFDxyxyxyxy05 7 bytes: FDFDFDFDFDFDFD --> FDFDFDFDFDFDFD01 8 bytes: FDFDFDFDFDFDFDFD --> FDFDFDFDFDFDFDFDxyxyxyxyxyxyxy08