[
https://issues.apache.org/jira/browse/WSS-413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13529853#comment-13529853
]
Marc Giger commented on WSS-413:
--------------------------------
Colm,
Do you think it is a problem if I handle this in santuario? I ask this because
the whole thing is implemented
in santuario and not in wss4j.
Btw, just as background information:
In the streaming code most keys are lazy initialized. That means the keys are
not processed when they are encountered but
when they are used. So in this concrete case there is just a very very small
delay between session key decryption and data
decryption with the session key. Of course it could still be exploited.
Marc
> EncryptedKey security issue with streaming code
> -----------------------------------------------
>
> Key: WSS-413
> URL: https://issues.apache.org/jira/browse/WSS-413
> Project: WSS4J
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 2.0
>
>
> Instead of throwing an exception when encountering a problem in processing an
> EncryptedKey, we should instead generate a session key and attempt to decrypt
> the EncryptedData structure instead (take a look at the DOM code here). This
> prevents timing attacks to see where the error was in processing the key
> versus data.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
