__
> From: Kurt Seifried
> Sent: Friday, September 24, 2021 10:08 AM
> To: Steven M Christey
> Cc: Walton, Jeffrey; CWE Research Discussion
> Subject: Re: Cross-configuration attacks
>
>
>
> On Thu, Sep 23, 2021 at 11:02 PM Steven M C
4, 2021 10:08 AM
To: Steven M Christey
Cc: Walton, Jeffrey; CWE Research Discussion
Subject: Re: Cross-configuration attacks
On Thu, Sep 23, 2021 at 11:02 PM Steven M Christey
mailto:co...@mitre.org>> wrote:
Just a couple quick comments since it’s late for me :)
CWE-435: Improper Int
are fine by themselves,
but there can be weaknesses in a parent component that instantiates both the
blocks.
Thanks,
Arun
From: Kurt Seifried
Sent: Thursday, September 23, 2021 8:20 PM
To: noloa...@gmail.com
Cc: cwe-research-l...@lists.mitre.org
Subject: Re: Cross-configuration attacks
I assum
t;
> *From:* Kurt Seifried
> *Sent:* Thursday, September 23, 2021 11:20 PM
> *To:* Walton, Jeffrey
> *Cc:* CWE Research Discussion
> *Subject:* Re: Cross-configuration attacks
>
>
>
> I assume by CVE you meant CWE, and no there isn't a CWE for "intersection"
.
- Paul
From: John Thomas
Sent: Friday, September 24, 2021 8:22 AM
To: Kurt Seifried ; noloa...@gmail.com
Cc: cwe-research-l...@lists.mitre.org
Subject: RE: Cross-configuration attacks
I think the issue here is the ambiguity in the behavior. If App A knows App B’s
behavior fully and with no
Sent: Friday, September 24, 2021 4:28:07 AM
To: Steven M Christey mailto:co...@mitre.org>>
Cc: Seifried, Kurt mailto:k...@seifried.org>>; Walton,
Jeffrey mailto:noloa...@gmail.com>>; CWE Research
Discussion mailto:cwe-research-list@mitre.org>>
Subject: Re: Cross-configuratio
even M Christey
Cc: Seifried, Kurt ; Walton, Jeffrey ;
CWE Research Discussion
Subject: Re: Cross-configuration attacks
About configurations, I’m still scratching my head about where PrintNightmare’s
“Insecure by design” would fall (fail?).
Best,
Sebastian
On Sep 24, 2021, at 1:01 AM, St
gree of ambiguity on several key aspects of the cipher. Each
library in the OpenPGP ecosystem seems to have implemented a
slightly different “flavour” of ElGamal encryption. While –taken in
isolation– each implementation may be secure, we reveal that in the
interoperable world of OpenPGP, unforesee
t;
> From: Kurt Seifried
> Sent: Thursday, September 23, 2021 11:20 PM
> To: Walton, Jeffrey
> Cc: CWE Research Discussion
> Subject: Re: Cross-configuration attacks
>
> I assume by CVE you meant CWE, and no there isn't a CWE for "intersection" or
&g
23, 2021 11:20 PM
To: Walton, Jeffrey
Cc: CWE Research Discussion
Subject: Re: Cross-configuration attacks
I assume by CVE you meant CWE, and no there isn't a CWE for "intersection" or
"mismatch" attacks. I don't like the term cross-configuration unless it's
y, or perhaps because of it, in reality there is a
> large degree of ambiguity on several key aspects of the cipher. Each
> library in the OpenPGP ecosystem seems to have implemented a
> slightly different “flavour” of ElGamal encryption. While –taken in
> isolation– each implementation may
that in the
interoperable world of OpenPGP, unforeseen cross-configuration
attacks become possible. Concretely, we propose different such
attacks and show their practical efficacy by recovering plaintexts
and even secret keys.
12 matches
Mail list logo