W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25431] Error names allow RSAES-PKCS1-v1_5 oracle attack against wrapped keys

From: <bugzilla@jessica.w3.org>
Date: Fri, 16 May 2014 17:13:00 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25431-7213-KTJ93On6Eq@http.www.w3.org/Bugs/Public/>

--- Comment #14 from Mark Watson <watsonm@netflix.com> ---

> > 
> > I want us to be clear about the technical rationale here and despite your
> > strongly-worded assertions above, this limited scenario seems to be the only
> > one left.
> I disagree, if only because your mitigations proposed are demonstrably not
> safe, and certainly NOT part of the specification.

I conceded the timing attack for unwrap, so whether the timing mitigations are
safe or not is irrelevant.

My point was that if the RSA-ES key is not persisted, the existence of this
attack is of no value to an attacker who can inject arbitrary code. And if they
cannot inject arbitrary code they have to conduct the timing attack remotely,
which is much harder unless the application gives you some help (as in the XML
case, where the attacker gets to choose whether the app decrypts 16 bytes or 16
megabytes before responding).

I am not trying to substantiate any major claim about RSA-ES here, only provide
an existence proof of a usage that might be temporarily reasonable if RSA-OEAP
was not available.

Also, I wanted to dis-entangle the unwrap and decrypt cases and the local and
network attack cases as the considerations for all four combinations are quite

You are receiving this mail because:
You are on the CC list for the bug.
Received on Friday, 16 May 2014 17:13:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC