[Top] [All Lists]

Be careful with that axe, Eugene

2004-03-16 10:11:50

I put in this note in -11 in security considerations about PKCS1 padding:

     * PKCS1 has been found to be vulnerable to attacks in which a
       system reports that errors in padding differently from errors in
       decryption becomes a random oracle that can leak the private key
       in mere millions of queries. Implementations must be aware of
       this attack and prevent it from happening. The simplest solution
       is report a single error code for all variants of decryption
       errors so as not to leak information to an attacker.

I don't want to beat this to death, given that the consensus seems to be that this is both an error to worry about, but an implementation error that is presently something smart coders should know about.

If there are small changes someone wants, feel free to write them up. I read the uPnP section that Carl mentioned. I think we are terser, but no less informative. I think the above lets someone who has a real reason not to take the suggested workaround a clue that they might want to start googling.


<Prev in Thread] Current Thread [Next in Thread>