Remove checked exceptions from RSA1_5.decryptCEK(...) to minimise exposure to timing attacks

Suggested by Juraj Somorovsky in email:

However, there is also pretty much bad stuff: unchecked exceptions or not-timing constant code do affect crypto implementations pretty much. For example, our newest findings are summarized here in the blog of my colleague (if you are interested in some crypto attacks :) ) : http://armoredbarista.blogspot.co.at/2014/04/easter-hack-even-more-critical-bugs-in.html

Thanks. That was very educational.

Does this mean RSA1_5.decryptCEK and all involved methods beneath it should be rewritten to communicate bad input by returning null/error object instead of throwing exceptions?

https://bitbucket.org/connect2id/nimbus-jose-jwt/src/df1af626b45264136f74093c058d716aa3c8f94f/src/main/java/com/nimbusds/jose/crypto/RSADecrypter.java?at=master#cl-211 Hmmm, that's true...exception handling consumes too much time. Put this into your RSA_15 to remove exception.

                    SecureRandom randomGen = getSecureRandom();
                    SecretKey randomCEK = AES.generateKey(keyLength, randomGen);

                    Cipher cipher = CipherHelper.getInstance("RSA/ECB/PKCS1Padding", provider);
                    cipher.init(Cipher.DECRYPT_MODE, priv);
                    byte[] secretKeyBytes = cipher.doFinal(encryptedCEK);

                    SecretKey key = new SecretKeySpec(secretKeyBytes, "AES");

                    if (8 * secretKeyBytes.length != keyLength) {

                            key = randomCEK;
                    }

                    return key;

I do not know if all the variables and objects fit, but you get the idea. This ensures you always get a key of a correct length. (it is possible that you should work with random bytes instead of randomCEK).

Comments (3)