- From: <bugzilla@jessica.w3.org>
- Date: Fri, 16 May 2014 17:13:00 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431 --- Comment #14 from Mark Watson <watsonm@netflix.com> --- > > > > I want us to be clear about the technical rationale here and despite your > > strongly-worded assertions above, this limited scenario seems to be the only > > one left. > > I disagree, if only because your mitigations proposed are demonstrably not > safe, and certainly NOT part of the specification. I conceded the timing attack for unwrap, so whether the timing mitigations are safe or not is irrelevant. My point was that if the RSA-ES key is not persisted, the existence of this attack is of no value to an attacker who can inject arbitrary code. And if they cannot inject arbitrary code they have to conduct the timing attack remotely, which is much harder unless the application gives you some help (as in the XML case, where the attacker gets to choose whether the app decrypts 16 bytes or 16 megabytes before responding). I am not trying to substantiate any major claim about RSA-ES here, only provide an existence proof of a usage that might be temporarily reasonable if RSA-OEAP was not available. Also, I wanted to dis-entangle the unwrap and decrypt cases and the local and network attack cases as the considerations for all four combinations are quite different. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 16 May 2014 17:13:02 UTC