W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2014

[Bug 25815] Spec encourages unsafe handling of secret data for JWK import of RSA/ECC keys

From: <bugzilla@jessica.w3.org>
Date: Wed, 23 Jul 2014 02:28:35 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25815-7213-vcsneRruIH@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25815

--- Comment #2 from Ryan Sleevi <sleevi@google.com> ---
Another example: A number of language bindings that allow creating
language/library-specific keys from primitives (e.g.: n,e,d for RSA) may not
compute the other parameters (necessary for output). Further, if just n,e,d are
specified, they can lead to unsafe handling of data. For example, in a number
of Java JCE implementations, creating an RSA private key with JUST n,e,d will
disable RSA blinding attacks, which exist to mitigating timing attacks against
RSA.

On the flip side, several cryptographic libraries require that the caller
supply all the parameters, as they're required by PKCS#8. Handling the JWK case
would require the UA to perform the MPI math itself.

My proposed resolution for this is:
- Normalize on operation error for any form of weirdness
- Require that JWK RSA keys have all the parameters from JWA, which is valid
according to JWA (from talking with Mike, it's assumed as the default)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 23 July 2014 02:28:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:23 UTC