I would like to encrypt some authentication tokens using AES 256 (not tied to th
ID: 659721 • Letter: I
Question
I would like to encrypt some authentication tokens using AES 256 (not tied to this algorithm but it seems to be a reasonable choice). These messages are usually very short at 128-256 bits. I'm concerned foremost about the security, not very concerned about ciphertext length or performance in either encryption or decryption. These are shared secrets so I have to be able to obtain the plaintext.
I am curious if any additional padding beyond what is required for the message to match the blocksize is beneficial.
To clarify this is not a question about padding the message so that it can be run through the encryption algorithm, but rather would I gain anything by padding to the message to say 1024 bits vs. 256 when the message is very short. I am already using an IV as I am reusing a key.
If I do pad to an additional length should I just use a single character, or should I put in a random stream of data?
My concern is that by only padding to 256 bits I may potentially betray the size of the secret (although most of them are shorter then the blocksize).
Explanation / Answer
Longer padding has no disadvantages security wise and the advantage is that it leaks less information about the length of the plaintext. The only downside to more padding is the larger ciphertext size, so as long as you consider the overhead acceptable padding to a larger block size is a good choice. For example in a chat application I'd pad to multiples of 256 bytes or even larger blocks.
In principle any padding works fine, as long as you can unambiguously remove it. I recommend deterministic padding instead of randomized padding, it simplifies testing and avoids concerns about covert channels. A proper IV already adds all the randomness you need, and AES is assumed to be secure against known plaintext attacks.
Typical paddings are 0x80 followed by as many 0x00 as you like, or as many 0x00 as you like, followed by the length of the padding or the length of the plaintext. Just a single byte doesn't work, since you can't know if a byte is still part of the padding or already part of the message.