- From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
- Date: Wed, 20 Nov 2013 06:43:29 +0000
- To: Ryan Sleevi <sleevi@google.com>
- CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
I see. Thanks for the clarification, that was not clear to me from the conversation. Should we recommend that implementations refuse to truncate below a certain threshold? Or do you think that, as with deprecating weak algorithms, this unnecessarily reduces flexibility in favor of idiot-proofing? -----Original Message----- From: Ryan Sleevi [mailto:sleevi@google.com] Sent: Tuesday, November 19, 2013 1:23 PM To: Vijay Bharadwaj Cc: public-webcrypto@w3.org Subject: Re: Bug 23097 - Underspecified behavior of verify() with regards to truncated signature On Thu, Nov 14, 2013 at 1:16 AM, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com> wrote: > Thinking about this more, it really seems unadvisable to truncate MACs > without explicit instruction from the caller. I'm leery about issues > like with XMLSec: > http://www.w3.org/blog/2009/07/hmac-truncation-in-xml-signatu/ > > > > Imagine a script that receives a signature from somewhere and passes > it to > verify() without checking its length (because people are lazy like that). > It's created a potentially exploitable oracle. > > > > Can we just add a truncation length parameter to the HmacParams and > recommend that implementations define a floor below which they will > refuse to truncate? That way the above example can be fixed, as the > input signature will be rejected if it wasn't exactly the expected length. Right, I think that was the proposal for how to deal with the truncation - the caller must explicitly request (as part of the algorithm's parameters) that a truncated signature be generated or verified.
Received on Wednesday, 20 November 2013 06:44:59 UTC