Module sodiumoxide::padding

Cryptographic padding routines

Most modern cryptographic constructions disclose message lengths. The ciphertext for a given message will always have the same length, or add a constant number of bytes to it. For most applications, this is not an issue. But in some specific situations, such as interactive remote shells, hiding the length may be desirable. Padding can be used for that purpose.

Algorithm These functions use the ISO/IEC 7816-4 padding algorithm. It supports arbitrary block sizes, ensures that the padding data are checked for computing the unpadded length, and is more resistant to some classes of attacks than other standard padding algorithms.

Notes Padding should be applied prior to encryption, and removed after decryption. Usage of padding in order to hide the length of a password is not recommended. A client willing to send a password to a server should hash it instead (even with a single iteration of the hash function). This ensures that the length of the transmitted data is constant, and that the server doesn’t effortlessly get a copy of the password. Applications may eventually leak the unpadded length via side channels, but the sodium_pad() and sodium_unpad() functions themselves try to minimize side channels for a given length & value.

Functions

pad	The pad() function adds padding data to a buffer buf whose original size is unpadded_buflen in order to extend its total length to a multiple of blocksize.
unpad	The unpad() function computes the original, unpadded length of a message previously padded using pad(). The original length is returned upon success.