7

What's the padding mode for AES/GCM? I understood it can be NoPadding, as in ECB mode it can be PKCS5Padding, how about in GCM mode? in JCE interface, we need provide "algorithm/mode/padding" (Reference).

So I used the following code to get the instance and it works in JDK but failed in IBM SDK which says

cannot find provider for supporting AES/GCM/PKCS5Padding

 Cipher.getInstance("AES/GCM/PKCS5Padding");

What's real use case for padding?

Artjom B.
  • 58,311
  • 24
  • 111
  • 196
C.c
  • 1,669
  • 5
  • 28
  • 45
  • 1
    Padding describes how blocks in the chain are aligned and filled up to match the expected block size. The JRE can run with different security provider. The Oracle SDK includes his own very low secure USA pleasant Oracle Security Provider. I dont know which Security Prodiver is default in IBM SDK. Best practice is to include your own security provider when working with different JREs Providers, like BouncyCastle. Or use the Security provider of the target system on dev system, like when you develop for android where OpenSSl Security Provider is Default. Hope that helps – Rene M. Jul 06 '15 at 14:47
  • 1
    This is best Security Provider I know: https://www.bouncycastle.org/java.html – Rene M. Jul 06 '15 at 14:49
  • Thanks for reply, I need do not introduce 3rd libs. so I need use JDK build-in provider. like SUNJCE, but in IBM sdk, I guess it provide its own provider, but however, my question is, do "AES/GCM/PKCS5Padding" is legal value? I did not found any example use PKCS5Padding in GCM and even http://isaacyang1988.googlecode.com/svn/trunk/Crypt/src/org/bouncycastle/jce/provider/test/AESTest.java this article have test case like that it is not right pattern – C.c Jul 06 '15 at 15:08
  • Look at answer from Artjom. Otherwise write a program that inspects the default security provider of your jre and print out possible values for your desired algorithm. Select values which exist on both side and you are fine – Rene M. Jul 06 '15 at 15:10

1 Answers1

14

GCM is a streaming mode which means that the ciphertext is only as long as the plaintext (not including authentication tag). GCM doesn't require a padding. This means that the PKCS5Padding version is actually only a synonym for NoPadding for convenience during programming. Some providers don't have this strange mode.

The are cases where padding the plaintext makes sense. For example, you can hide the length of the actual plaintext by appending a random length PKCS5Padding.

Artjom B.
  • 58,311
  • 24
  • 111
  • 196
  • Thanks, that says we need correct to Cipher.getInstance("AES/GCM/NoPadding"); right? – C.c Jul 06 '15 at 15:12
  • 1
    Yes, `Cipher.getInstance("AES/GCM/NoPadding");` is the proper way. It's probably the same thing as with `Cipher.getInstance("RSA/ECB/PKCS1Padding");` which is actually only `Cipher.getInstance("RSA/None/PKCS1Padding");`. – Artjom B. Jul 06 '15 at 15:15
  • Got it. Thanks very much. – C.c Jul 06 '15 at 15:15
  • I don't have the IBM provider, but you can check if both are interoperable. By (1) encrypting with padding and decrypting without padding and (2) encrypting without padding and decrypting with padding. – Artjom B. Jul 06 '15 at 15:17
  • Hey @ArtjomB., you've helped me with my cryptography questions a lot.. I'm using `PBKDF2WithHmacSHA256` algorithm for Password Hashing. It's working in live server. But I doesn't seem to work with Java 7 but only in Java 8. Is there any way that I can able to use this algorithm in Java 7? – The Coder Jul 06 '15 at 15:28
  • 1
    @user1354678 I don't know for sure, but I think it worked for me in Java 7. You can try to add the BouncyCastle provider which probably provides this. – Artjom B. Jul 06 '15 at 15:38
  • @ArtjomB. Any idea why *SonarQube* is giving me _Make sure that encrypting data is safe here._ for `Cipher.getInstance("RSA/ECB/PKCS1Padding");` and `Cipher.getInstance("AES/GCM/NoPadding");`. Aren't they safe any more? In the documentation(https://rules.sonarsource.com/java/RSPEC-4787) it says that _Galois/Counter Mode (GCM) with no padding should be preferred to the following combinations which are not secured_. But it still gives the error... – Dionis Beqiraj Sep 12 '19 at 14:06
  • @DionisBeqiraj The RSA-case should be clear since no OAEP is used. GCM on its own is quite good, but has some failure modes, where the nonce must never repeat under the same key. It would be better to use a 2-pass mode like AES-SIV, but that is computationally expensive and the encryption/decryption cannot be streamed. I don't know for sure, but that is a hunch. It could also be a bug in the SonarQube rule set. – Artjom B. Sep 12 '19 at 21:06
  • @ArtjomB. Yeah, right, for `RSA` case I should implement OAEP, as suggested. But for AES is strange... ? – Dionis Beqiraj Sep 13 '19 at 08:06