AES CTR mode with short messages
https://stackoverflow.com/questions/11549504
-
21-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is AES in CTR mode safe to use when encrypting short messages (less than a block size)? An example would be encrypting SSN or credit card numbers. I have seen conflicting information concerning this so I would just like clarification. Thank you
Solution
Does the length of the message leak information? If you know that the message is either "YES" or "NO" then the length of an unpadded cyphertext is leaking a great deal of information. If it is something like a SSN then the unpadded cyphertext does not leak any information, except that the underlying plaintext could be a SSN.
Using AES, a block cypher, you will always produce at least one block's worth of the keystream, even if you don't use all of it. There is very little processing overhead in padding short messages up to one block. The storage overhead will be larger of course, so you will need to decide, depending on your exact requirements.
In short, unpadded CTR mode is safe for SSNs, since they are all nine digits long, so the cyphertext length does not leak any useful information.
