Re: [Bug 25431] Error names allow RSAES-PKCS1-v1_5 oracle attack against wrapped keys from Graham Steel on 2014-04-30 (public-webcrypto-comments@w3.org from April 2014)

From: Graham Steel <graham.steel@inria.fr>
Date: Wed, 30 Apr 2014 09:05:06 +0100
To: public-webcrypto-comments@w3.org
Message-ID: <CAEccCD9CXbenCPstWF18B5GqQy-jLowBs7oX4BbosQ+0_UCaKA@mail.gmail.com>

+1 to drop RSAES-PKCS1-v1_5 from (at least) unwrapKey

Even with the most cryptic error messages, the behaviour of the
application (whether it accepts the key or not) is still a small leak.
The best *publicly known* attack against that oracle needs 12 million
messages. Attacks only get better.

>
> On 30 April 2014 00:05,  <bugzilla@jessica.w3.org> wrote:
>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431
>>
>> Richard Barnes <rlb@ipv.sx> changed:
>>
>>            What    |Removed                     |Added
>> ----------------------------------------------------------------------------
>>                  CC|                            |rlb@ipv.sx
>>
>> --- Comment #2 from Richard Barnes <rlb@ipv.sx> ---
>> The changes needed to make this safe would make the API even more cryptic to
>> devs than it already is.  I would prefer to just drop RSAES-PKCS1-v1_5 from
>> unwrapKey.
>>
>> --
>> You are receiving this mail because:
>> You are on the CC list for the bug.
>>
>
>
>
> --
> http://www.lsv.ens-cachan.fr/~steel/



-- 
http://www.lsv.ens-cachan.fr/~steel/

Received on Wednesday, 30 April 2014 08:22:51 UTC