W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25815] New: Spec encourages unsafe handling of secret data for JWK import of RSA/ECC keys

From: <bugzilla@jessica.w3.org>
Date: Mon, 19 May 2014 20:33:03 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25815-7213@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25815

            Bug ID: 25815
           Summary: Spec encourages unsafe handling of secret data for JWK
                    import of RSA/ECC keys
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: sleevi@google.com
                CC: public-webcrypto@w3.org

The current spec is somewhat underspecified with respect to handling secret
data for RSA and ECC keys, and one possible interpretation leads to the unsafe
handling of secret data in a manner which may leak information via timing, or
require UA-specific cryptographic primitives.

Specifically, language exists of the form

"If jwk does not meet the requirements of Section X of JSON Web Algorithms,
then return an error named DataError"

However, this is underspecified for several reasons:
- In the RSA case, d may be specified, but may be inconsistent with n/e
- In the RSA case, d may be specified, but have inconsistent CRT parameters
associated
- In the RSA case, d may be specified, but have inconsistent p/q
- In the ECC case, d may be specified, but be invalid according to the point

All of these cases encourage an error return of DataError, which implies a
degree of checking on the client side, as "implementation-deduced" errors are
typically assigned the error code OperationError.

The computation of consistency checks can leak timing information (and also
requires the implementation of multi-precision integers), which are both things
that are trying to be avoided in the requirements of UAs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Monday, 19 May 2014 20:33:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC