Bug 23097 - Underspecified behavior of verify() with regards to truncated signature from Vijay Bharadwaj on 2013-11-14 (public-webcrypto@w3.org from November 2013)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Thu, 14 Nov 2013 09:16:00 +0000
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <0822276cbbc0400089794c81755bca2e@DFM-CO1MBX15-08.exchange.corp.microsoft.com>

Thinking about this more, it really seems unadvisable to truncate MACs without explicit instruction from the caller. I'm leery about issues like with XMLSec: http://www.w3.org/blog/2009/07/hmac-truncation-in-xml-signatu/

Imagine a script that receives a signature from somewhere and passes it to verify() without checking its length (because people are lazy like that). It's created a potentially exploitable oracle.

Can we just add a truncation length parameter to the HmacParams and recommend that implementations define a floor below which they will refuse to truncate? That way the above example can be fixed, as the input signature will be rejected if it wasn't exactly the expected length.

Received on Thursday, 14 November 2013 09:16:59 UTC