Geralt
Search…
Padding

Purpose

The length of a ciphertext from a stream cipher is equal to the length of the plaintext. In most cases, this is not considered an issue. However, hiding the length of a message can be desirable, and ISO/IEC 7816-4 padding can be used to do this.
The amount of padding, determined by the block size, can either be deterministic or randomised. Both have their strengths and weaknesses.
Padding to a block size much smaller than the message length leaves the approximate unpadded length largely unprotected. The PADMÉ scheme can be used to limit leakage.
Padding should be applied to the plaintext before encryption and removed from the plaintext after decryption. The amount of padding does not need to be stored.

Usage

Fill

Fills a span with padding. This can then be manually concatenated with some data.
Padding.Fill(Span<byte> buffer)

Exceptions

buffer has a length of 0.

GetPaddedLength

Returns the required buffer size for Pad() based on the unpadded length and a block size (e.g. 16 bytes).
Padding.GetPaddedLength(int unpaddedLength, int blockSize)

Exceptions

unpaddedLength is less than 0.
blockSize is less than or equal to 0.
The amount of padding is too large.

Pad

Fills a span with the data padded up to the specified block size (e.g. a multiple of 16 bytes).
Padding.Pad(Span<byte> buffer, ReadOnlySpan<byte> data, int blockSize)

Exceptions

buffer has a length not equal to GetPaddedLength(data.Length, blockSize).
blockSize is less than or equal to 0.

GetUnpaddedLength

Returns the number of bytes to slice from the end of the padded data.
Padding.GetUnpaddedLength(ReadOnlySpan<byte> paddedData, int blockSize)

Exceptions

paddedData has a length of 0.
blockSize is less than or equal to 0.

Notes

It is very difficult to hide that cryptography is being used. For example, even if padding is done appropriately and there are no plaintext headers, X25519 public keys are distinguishable from random.
Using padding to hide the length of a password is NOT recommended. Instead, the password can be prehashed using BLAKE2b or Argon2id on the client before being sent to the server for password hashing.
Last modified 1mo ago
Copy link
On this page
Purpose
Usage
Fill
GetPaddedLength
Pad
GetUnpaddedLength
Notes