- changed status to open
Remove checked exceptions from RSA1_5.decryptCEK(...) to minimise exposure to timing attacks
Suggested by Juraj Somorovsky in email:
However, there is also pretty much bad stuff: unchecked exceptions or not-timing constant code do affect crypto implementations pretty much. For example, our newest findings are summarized here in the blog of my colleague (if you are interested in some crypto attacks :) ) : http://armoredbarista.blogspot.co.at/2014/04/easter-hack-even-more-critical-bugs-in.html
Thanks. That was very educational.
Does this mean RSA1_5.decryptCEK and all involved methods beneath it should be rewritten to communicate bad input by returning null/error object instead of throwing exceptions?
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/df1af626b45264136f74093c058d716aa3c8f94f/src/main/java/com/nimbusds/jose/crypto/RSADecrypter.java?at=master#cl-211 Hmmm, that's true...exception handling consumes too much time. Put this into your RSA_15 to remove exception.
SecureRandom randomGen = getSecureRandom();
SecretKey randomCEK = AES.generateKey(keyLength, randomGen);
Cipher cipher = CipherHelper.getInstance("RSA/ECB/PKCS1Padding", provider);
cipher.init(Cipher.DECRYPT_MODE, priv);
byte[] secretKeyBytes = cipher.doFinal(encryptedCEK);
SecretKey key = new SecretKeySpec(secretKeyBytes, "AES");
if (8 * secretKeyBytes.length != keyLength) {
key = randomCEK;
}
return key;
I do not know if all the variables and objects fit, but you get the idea. This ensures you always get a key of a correct length. (it is possible that you should work with random bytes instead of randomCEK).
Comments (3)
-
reporter -
reporter Released update in 2.26.1
-
- changed status to resolved
- Log in to comment