On Mon, 20 Sep 2021 09:35:57 GMT, Lari Hotari <d...@openjdk.java.net> wrote:
>> ### Motivation >> >> When profiling an application that uses JWT token authentication, it was >> noticed that a high number of `javax.crypto.BadPaddingException`s were >> created. When investigating the code in RSAPadding, one can see that >> BadPaddingException is created in all cases, also on the success path: >> https://github.com/openjdk/jdk/blob/dc7f452acbe3afa5aa6e31d316bd5e669c86d6f6/src/java.base/share/classes/sun/security/rsa/RSAPadding.java#L369-L375 >> >> ### Modifications >> >> Inline the unnecessary local variable to prevent creating the exception on >> the success path. > > For anyone interested, there's an explanation of the [Bleichenbacher's CCA > attack on PKCS#1 v1.5 on > Stackexchange](https://crypto.stackexchange.com/questions/12688/can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5). > The original paper is ["Chosen Ciphertext Attacks Against Protocols Based on > the RSA Encryption Standard PKCS #1" > ](http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf). > > The reason for constant time is to not leak information about a possible bad > padding to the attacker based on the difference in response time between a > valid and bad padding. The attacker can use this information to narrow the > search to find the pre-master secret. Hi @lhotari, please submit an OCA at https://oca.opensource.oracle.com/ if you are contributing on your own behalf. If you are contributing on your employers behalf, please send me an e-Mail at dalibor.to...@oracle.com so that I can verify your account. ------------- PR: https://git.openjdk.java.net/jdk/pull/5581
