Merge pull request #148 from ionut-arm/invalid-padding

Add invalid padding warnings to decryption ops
parallaxsecond · Jul 20, 2023 · b55b302 · b55b302
2 parents 9c8eb60 + f38a67a
commit b55b302
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/parsec_client/operations/psa_asymmetric_decrypt.md b/src/parsec_client/operations/psa_asymmetric_decrypt.md
@@ -27,11 +27,18 @@ Decrypt a short message with a private key. Opcode: 11 (`0x000B`)
 
 - `PsaErrorNotPermitted`: The key does not have the `decrypt` flag, or it does not permit the
    requested algorithm.
+- `PsaErrorInvalidPadding`: The decrypted padding is incorrect. See Warning below.
 
 ## Description
 
 This function will decrypt a short message with the private key of the provided key pair.
 
+**WARNING:** In some protocols, when decrypting data, it is essential that the behavior of the
+application does not depend on whether the padding is correct (see
+[Bleichenbacher](https://link.springer.com/content/pdf/10.1007/bfb0055716.pdf)). If the application
+must perform a decryption of unauthenticated data, the application writer must take care not to
+reveal whether the padding is invalid.
+
 ## Contract
 
 [Protobuf](https://github.com/parallaxsecond/parsec-operations/blob/master/protobuf/psa_asymmetric_decrypt.proto)

diff --git a/src/parsec_client/operations/psa_cipher_decrypt.md b/src/parsec_client/operations/psa_cipher_decrypt.md
@@ -23,11 +23,19 @@ Decrypt a short message with a symmetric cipher. Opcode: 21 (`0x0015`)
 
 - `PsaErrorNotPermitted`: The key does not have the `decrypt` flag, or it does not permit the
    requested algorithm.
+- `PsaErrorInvalidPadding`: The decrypted padding is incorrect. See Warning below.
 
 ## Description
 
 This function will decrypt a short message using the provided initialisation vector (IV).
 
+**Warning:** In some protocols, when decrypting data, it is essential that the behavior of the
+application does not depend on whether the padding is correct (see [Klíma et
+al](https://eprint.iacr.org/2003/098.pdf)). Protocols that use authenticated encryption are
+recommended for use by applications, rather than plain encryption. If the application must perform a
+decryption of unauthenticated data, the application writer must take care not to reveal whether the
+padding is invalid.
+
 ## Contract
 
 [Protobuf](https://github.com/parallaxsecond/parsec-operations/blob/master/protobuf/psa_cipher_decrypt.proto)