W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

[Bug 25431] Error names allow RSAES-PKCS1-v1_5 oracle attack against wrapped keys

From: <bugzilla@jessica.w3.org>
Date: Wed, 30 Apr 2014 09:29:41 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25431-7213-akNO0iJbSI@http.www.w3.org/Bugs/Public/>

--- Comment #3 from Kelsey Cairns <kelsey.cairns@inria.fr> ---
As the API is now, any algorithm that supports encrypt/decrypt can be used for
wrap/unwrap. If we want to prevent unwrapping with RSAES, we would have to
either make an exception or remove RSAES decrypt all together in which case we
may as well remove RSAES entirely. Either way, decrypt on its own is still a
potential oracle.

Thinking out loud: I'm not a fan of complicating things in general, but if
RSAES simply must be included, then making it more complicated for devs might
at least be a disincentive to use it.

You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 30 April 2014 09:29:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC