[Openid-specs-ab] Encryption
sakimura
sakimura at gmail.com
Fri Oct 28 11:36:18 UTC 2011
So I was going over the recent XML Encryption vulnerability.
http://www.informationweek.com/news/security/vulnerabilities/231901532
The flaw is that of CBC mode of operation combined with unauthenticated
encryption.
It is a kind of padding oracle attack.
We have two choices here:
1) Require authenticated encryption mode such as GCM
2) Require message authentication to be applied to the cipher text.
Ideally 1) should be taken as operational efficiency is much greater
than 2),
but in reality we do not have support for GCM in many languages.
Thus, while RECOMMENDing 1), we should REQUIRE HMAC to be applied
on the encrypted text (cipher text) in CBC mode.
Thus, we should make it REQUIRED to sig+enc+mac, instead of sig+enc,
and REQUIRE the verifier to first verify the mac and if the mac is not
correct
the process should abend returning mac error.
Also, although same public-private keypair can be used for encryption
and signature
in case of RSA, we should probably use two separate keypair. That is
safer.
Perhaps we would not REQUIRE it, but we should RECOMMEND it.
=nat
More information about the Openid-specs-ab
mailing list