sakimura at gmail.com
Fri Oct 28 11:36:18 UTC 2011
So I was going over the recent XML Encryption vulnerability.
The flaw is that of CBC mode of operation combined with unauthenticated
It is a kind of padding oracle attack.
We have two choices here:
1) Require authenticated encryption mode such as GCM
2) Require message authentication to be applied to the cipher text.
Ideally 1) should be taken as operational efficiency is much greater
but in reality we do not have support for GCM in many languages.
Thus, while RECOMMENDing 1), we should REQUIRE HMAC to be applied
on the encrypted text (cipher text) in CBC mode.
Thus, we should make it REQUIRED to sig+enc+mac, instead of sig+enc,
and REQUIRE the verifier to first verify the mac and if the mac is not
the process should abend returning mac error.
Also, although same public-private keypair can be used for encryption
in case of RSA, we should probably use two separate keypair. That is
Perhaps we would not REQUIRE it, but we should RECOMMEND it.
More information about the Openid-specs-ab