- From: <bugzilla@jessica.w3.org>
- Date: Mon, 19 May 2014 20:33:03 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25815
Bug ID: 25815
Summary: Spec encourages unsafe handling of secret data for JWK
import of RSA/ECC keys
Product: Web Cryptography
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Web Cryptography API Document
Assignee: sleevi@google.com
Reporter: sleevi@google.com
CC: public-webcrypto@w3.org
The current spec is somewhat underspecified with respect to handling secret
data for RSA and ECC keys, and one possible interpretation leads to the unsafe
handling of secret data in a manner which may leak information via timing, or
require UA-specific cryptographic primitives.
Specifically, language exists of the form
"If jwk does not meet the requirements of Section X of JSON Web Algorithms,
then return an error named DataError"
However, this is underspecified for several reasons:
- In the RSA case, d may be specified, but may be inconsistent with n/e
- In the RSA case, d may be specified, but have inconsistent CRT parameters
associated
- In the RSA case, d may be specified, but have inconsistent p/q
- In the ECC case, d may be specified, but be invalid according to the point
All of these cases encourage an error return of DataError, which implies a
degree of checking on the client side, as "implementation-deduced" errors are
typically assigned the error code OperationError.
The computation of consistency checks can leak timing information (and also
requires the implementation of multi-precision integers), which are both things
that are trying to be avoided in the requirements of UAs.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Monday, 19 May 2014 20:33:05 UTC