W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25607] New: Need to advise authors about security considerations

From: <bugzilla@jessica.w3.org>
Date: Thu, 08 May 2014 15:22:01 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25607-7213@http.www.w3.org/Bugs/Public/>

            Bug ID: 25607
           Summary: Need to advise authors about security considerations
           Product: Web Cryptography
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: rsalz@akamai.com
                CC: public-webcrypto@w3.org

This defect is in collaboration with Kenny Paterson.
I believe that taking the fixes below will also address 18925, 23499, 25431
(maybe, by lack of use:), 25569

Section 5.2
In the second paragraph, after the first sentence add a forward reference to
see section 18.1

Section 18.1
Add the following paragraph after the heading, before the table:  "The table
below indicates which algorithms, and uses, are registered by this
specification. A blank field means no registration, a check means registration,
and a plus means registration, but that there are known security issues with
that particular combination. (See Security References, below.)"

In the table, change the following entries to a plus sign
    RSAES-PKCS1-v1.5: encrypt and decrypt columns
    AES-CTR: all columns
    AES-CBC: all columns
    AES-CFB: all columns

After the table, add the following text: "Entries with a plus sign SHOULD only
be used when interoperating with existing formats and protocols.  Although not
registered in this document, the digest mechanisms MD2 and MD5 SHOULD never be
used to generate data."

Section 18.2
Rename this to "Algorithms that should be available"  The term "recommended"
has particular meaning in the security world.

Create a new section, "Security References" and include the following:

[Ble98] Daniel Bleichenbacher. Chosen Ciphertext Attacks Against Protocols
Based on the RSA Encryption Standard PKCS #1. CRYPTO 1998.

[BFKST12] Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato,
Graham Steel, Joe-Kai Tsay. Efficient Padding Oracle Attacks on Cryptographic
Hardware. CRYPTO 2012.

[JSS12] Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. Bleichenbacher's
Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption. ESORICS 2012.

[Vau02] Serge Vaudenay. Security Flaws Induced by CBC Padding - Applications to

[DR'10] J. Rizzo T. Duong. Practical Padding Oracle Attacks. Black Hat Europe
2010 and USENIX WOOT 2010.

[DR'11] Thai Duong, Juliano Rizzo. Cryptography in the Web: The Case of
Cryptographic Design Flaws in ASP.NET. IEEE Symposium on Security and Privacy

[JS'11] Tibor Jager and Juraj Somorovsky. How to break XML Encryption. ACM CCS

[Stev09] Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen K. Lenstra,
David Molnar, Dag Arne Osvik, Benne de Weger. Short Chosen-Prefix Collisions
for MD5 and the Creation of a Rogue CA Certificate. CRYPTO 2009: 55-69

You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 8 May 2014 15:22:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC