W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25431] Error names allow RSAES-PKCS1-v1_5 oracle attack against wrapped keys

From: <bugzilla@jessica.w3.org>
Date: Fri, 09 May 2014 15:44:53 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25431-7213-8T5oJ3JYFP@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431

--- Comment #4 from Mark Watson <watsonm@netflix.com> ---
Regarding the attack in the title of this bug, is it not a general issue that
where several primitive operations are concatenated it is a problem if the
error codes indicate at which stage the combined operation failed ?

Or, is it the case that RSAES with unwrap is the one example where there is a
known attack (due to the particular weakness of RSAES padding) which can
exploit this knowledge of which stage failed ?

Wouldn't it be prudent to eliminate the distinction and just return a single
error code in the case of any operation that can fail in multiple distinct ways
?

Regarding the timing attack mentioned by Ryan, it seems it is a general
quality-of-implementation issue to mitigate such attacks with constant-time
implementations. And it seems to me this could apply to many other operations,
although it may be the case - as above - that RSA-ES may be the one example
where there is a well-known attack.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Friday, 9 May 2014 15:44:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC