RE: Using AES-CBC decrypt without padding from Salz, Rich on 2014-06-24 (public-webcrypto-comments@w3.org from June 2014)

From: Salz, Rich <rsalz@akamai.com>
Date: Tue, 24 Jun 2014 00:18:36 -0400
To: Ryan Sleevi <sleevi@google.com>, Stefan Ortner <Stefan.Ortner@sophos.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <2A0EFB9C05D0164E98F19BB0AF3708C7181F00E232@USMBX1.msg.corp.akamai.com>

Ø  I strongly disagree that allowing 'programmers to manually handle the padding themselves' is a good idea; one of the motivating concerns for the development of Web Crypto is the subtlety involved with timing-relevant/secret-dependent operations. This includes padding checks (as we've seen with things like Lucky 13), and so the goal has been to isolate, as much as possible of that, from being something in scope for programmers using this API.

This is a good thing. So should aes-gcm decrypt only ever return DataError, and not OperationError? In fact, should all OperationError’s be DataError, to avoid Oracle attacks?

                /r$

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz

Received on Tuesday, 24 June 2014 04:19:05 UTC