[jira] Resolved: (MYFACES-2934) Side-channel timing attack in StateUtils class may still allow padding oracle attack

Thu, 30 Sep 2010 18:15:00 -0700 

     [ 
https://issues.apache.org/jira/browse/MYFACES-2934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Leonardo Uribe resolved MYFACES-2934.
-------------------------------------

         Assignee: Leonardo Uribe
    Fix Version/s: 1.1.9-SNAPSHOT
                   1.2.10-SNAPSHOT
                   2.0.3-SNAPSHOT
       Resolution: Fixed

I just removed the break, and left a message to prevent remove developers to 
remove that code.

Thanks to Kevin W. Wall for this report.

> Side-channel timing attack in StateUtils class may still allow padding oracle 
> attack
> ------------------------------------------------------------------------------------
>
>                 Key: MYFACES-2934
>                 URL: https://issues.apache.org/jira/browse/MYFACES-2934
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 1.2.9
>         Environment: All using MyFaces 1.2.9
>            Reporter: Kevin W. Wall
>            Assignee: Leonardo Uribe
>            Priority: Minor
>             Fix For: 1.1.9-SNAPSHOT, 1.2.10-SNAPSHOT, 2.0.3-SNAPSHOT
>
>   Original Estimate: 48h
>  Remaining Estimate: 48h
>
> [FYI: I'm the person who fixed the padding oracle attack in ESAPI 2.0-rc# 
> crypto which is why I spotted this.]
> I did a quick code inspection of encrypt() / decrypt() methods in 
> org.apache.myfaces.shared_impl.util.StateUtils as it relates to the fix for 
> MYFACES-2749.  Most everything is done correct (MAC is over IV+ciphertext and 
> checked before decryption), but I noticed a subtle flaw that, at least in 
> theory (or enough data gathering and statistical analysis), that opens a 
> side-channel timing attack that might be still be used as a oracle in a 
> padded oracle attack such as described by Duong and Rizzo.
> The problem is in the 'for' loop at lines 471-478 in StateUtils.java. You 
> need to compare ALWAYS compare ALL the bytes in the MAC to ensure a timing 
> side-channel attack cannot be used to as an oracle in the padding oracle 
> attack.
> Contact me at [email protected] if you need more info or want to see how 
> it was fixed in OWASP ESAPI.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to