[Openid-specs-ab] Encryption

sakimura sakimura at gmail.com
Fri Oct 28 11:36:18 UTC 2011

 So I was going over the recent XML Encryption vulnerability.

 The flaw is that of CBC mode of operation combined with unauthenticated 
 It is a kind of padding oracle attack.

 We have two choices here:

 1) Require authenticated encryption mode such as GCM
 2) Require message authentication to be applied to the cipher text.

 Ideally 1) should be taken as operational efficiency is much greater 
 than 2),
 but in reality we do not have support for GCM in many languages.

 Thus, while RECOMMENDing 1), we should REQUIRE HMAC to be applied
 on the encrypted text (cipher text) in CBC mode.

 Thus, we should make it REQUIRED to sig+enc+mac, instead of sig+enc,
 and REQUIRE the verifier to first verify the mac and if the mac is not 
 the process should abend returning mac error.

 Also, although same public-private keypair can be used for encryption 
 and signature
 in case of RSA, we should probably use two separate keypair. That is 
 Perhaps we would not REQUIRE it, but we should RECOMMEND it.


More information about the Openid-specs-ab mailing list