- From: <bugzilla@jessica.w3.org>
- Date: Thu, 08 May 2014 15:22:01 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607 Bug ID: 25607 Summary: Need to advise authors about security considerations Product: Web Cryptography Version: unspecified Hardware: All OS: All Status: NEW Severity: blocker Priority: P2 Component: Web Cryptography API Document Assignee: sleevi@google.com Reporter: rsalz@akamai.com CC: public-webcrypto@w3.org This defect is in collaboration with Kenny Paterson. I believe that taking the fixes below will also address 18925, 23499, 25431 (maybe, by lack of use:), 25569 Section 5.2 ========= In the second paragraph, after the first sentence add a forward reference to see section 18.1 Section 18.1 ========= Add the following paragraph after the heading, before the table: "The table below indicates which algorithms, and uses, are registered by this specification. A blank field means no registration, a check means registration, and a plus means registration, but that there are known security issues with that particular combination. (See Security References, below.)" In the table, change the following entries to a plus sign RSAES-PKCS1-v1.5: encrypt and decrypt columns AES-CTR: all columns AES-CBC: all columns AES-CFB: all columns After the table, add the following text: "Entries with a plus sign SHOULD only be used when interoperating with existing formats and protocols. Although not registered in this document, the digest mechanisms MD2 and MD5 SHOULD never be used to generate data." Section 18.2 ========= Rename this to "Algorithms that should be available" The term "recommended" has particular meaning in the security world. References ========= Create a new section, "Security References" and include the following: [Ble98] Daniel Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. CRYPTO 1998. [BFKST12] Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel, Joe-Kai Tsay. Efficient Padding Oracle Attacks on Cryptographic Hardware. CRYPTO 2012. [JSS12] Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption. ESORICS 2012. [Vau02] Serge Vaudenay. Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS .... EUROCRYPT 2002. [DR'10] J. Rizzo T. Duong. Practical Padding Oracle Attacks. Black Hat Europe 2010 and USENIX WOOT 2010. [DR'11] Thai Duong, Juliano Rizzo. Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET. IEEE Symposium on Security and Privacy 2011. [JS'11] Tibor Jager and Juraj Somorovsky. How to break XML Encryption. ACM CCS 2011. [Stev09] Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen K. Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. CRYPTO 2009: 55-69 -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 8 May 2014 15:22:02 UTC