On 03/25/2013 11:58 PM, Manger, James H wrote:
>> you are right, the random number generation *must not* be done in the
>> catch block, it could be measured and leak an information about
>> ciphertext validity.
>>
>> I would propose this code:
>>
>> if (alg.equals(JWEAlgorithm.RSA1_5)) {
>> int keyLength =
>> cmkBitLength(readOnlyJWEHeader.getEncryptionMethod());
>> SecretKey randomCMK = AES.generateAESCMK(keyLength);
>>
>> try {
>> cmk = RSA1_5.decryptCMK(privateKey, encryptedKey.decode(),
>> keyLength);
>> } catch (Exception e) {
>> // Protect against MMA attack by generating random CMK on
>> failure,
>> // see http://www.ietf.org/mail-
>> archive/web/jose/current/msg01832.html
>> cmk = randomCMK;
>> }
>> }
>>
>>
>> This would be perfect and also secure against timing attacks.
>
>
> This code may be a bit more resistant to timing attacks, but it is nowhere
> near perfect.
Agreed, "perfect" was a pretty strong word for that code.
I know that there could appear different processing times due to the
decoded key length check, throwing and catching the exception, or
randomCMK assignment. But I would say that they would consume much less
processing time than the random number generation.
Do you have any measurements / thoughts on this?
Btw, We measured e.g. the timing differences of PKCS1 processing.
Decryption of valid (without random number generation) and invalid (with
random number generation) PKCS1 messages yielded a difference of about
11 microseconds.
I would be also very interested to know, if you have any major
improvements for the code I provided.
Thanks
Juraj
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
