- From: <bugzilla@jessica.w3.org>
- Date: Fri, 09 May 2014 18:50:07 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431 --- Comment #5 from Ryan Sleevi <sleevi@google.com> --- (In reply to Mark Watson from comment #4) > Regarding the attack in the title of this bug, is it not a general issue > that where several primitive operations are concatenated it is a problem if > the error codes indicate at which stage the combined operation failed ? No. A "secure" algorithm will be independent of how these errors are reported. An "insecure" algorithm - such as RSA-ES or, for that matter, RSA-OAEP - WILL be particularly sensitive. > > Or, is it the case that RSAES with unwrap is the one example where there is > a known attack (due to the particular weakness of RSAES padding) which can > exploit this knowledge of which stage failed ? So, any RSAES decryption is at risk. As I explained in comment #1, any combination - whether it be simply 'encrypt' or 'unwrap' - will fail if there is any structure to the key OR if any internal state leaks. > > Wouldn't it be prudent to eliminate the distinction and just return a single > error code in the case of any operation that can fail in multiple distinct > ways ? Not in any meaningful way that will improve security, no. > > Regarding the timing attack mentioned by Ryan, it seems it is a general > quality-of-implementation issue to mitigate such attacks with constant-time > implementations. And it seems to me this could apply to many other > operations, although it may be the case - as above - that RSA-ES may be the > one example where there is a well-known attack. No, it's not a "quality of implementation" issue - it's a fundamental API design. The API, as written, *cannot* provide a safe decrypt or unwrap operation. The mitigation for this - such as that employed by TLS - involves additional behaviours that would fundamentally alter the nature of the API. That is, we would make it such that RSAES needs to know the key length, cannot unwrap keys with structure (ergo, it's only suitable for symmetric keys), has to ALWAYS succeed (returning a random key), and then, and even then, it's *still* possible for security to be botched (eg: in the case of XML DSig & friends, the failure to decrypt using the unwrapped key is itself a signal that the key unwrap failed). Compare this with AES-KW or RSA-KEM, in which revealing success or not does not provide an oracle. RSA-OAEP still provides an oracle (Manger's attack), but that CAN be mitigated by a quality of implementation (of which most libraries - including Botan, Crypto++, and OpenSSL, do NOT have quality implementations) such that the success/failure is not an oracle. Considering that at this point, any hope of allowing a 'safe' implementation would require a breaking API change to accomodate RSA-ES, I think it's reasonable to remove entirely. This is, however, why it was included in the list of algorithms to begin with - to explore all algorithms and their interaction with the API, and to ensure that the API would "fit". It's clear that the API we have does not "fit", and I am not convinced we can reasonably "break" the API such that it would. It's also clear, from this bug and mailing list discussion, that no one would be upset if it was removed. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 9 May 2014 18:50:09 UTC