- From: Ryan Sleevi <sleevi@google.com>
- Date: Tue, 19 Nov 2013 13:23:23 -0800
- To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
- Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Thu, Nov 14, 2013 at 1:16 AM, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com> wrote: > Thinking about this more, it really seems unadvisable to truncate MACs > without explicit instruction from the caller. I’m leery about issues like > with XMLSec: http://www.w3.org/blog/2009/07/hmac-truncation-in-xml-signatu/ > > > > Imagine a script that receives a signature from somewhere and passes it to > verify() without checking its length (because people are lazy like that). > It’s created a potentially exploitable oracle. > > > > Can we just add a truncation length parameter to the HmacParams and > recommend that implementations define a floor below which they will refuse > to truncate? That way the above example can be fixed, as the input signature > will be rejected if it wasn’t exactly the expected length. Right, I think that was the proposal for how to deal with the truncation - the caller must explicitly request (as part of the algorithm's parameters) that a truncated signature be generated or verified.
Received on Tuesday, 19 November 2013 21:23:55 UTC