Security Work Items

These work items related to security vulnerabilities in the spec.

Extraction Attacks

Section 7: Says: "We note that none of the attacks just described can compromise keys marked “sensitive,” since a key that is sensitive will always remain sensitive. Similarly, a key that is unextractable cannot be modified to be extractable."

There are a number of vulnerabilities in the spec with regards to extracting keys that should not be extractable. These can be theoretically fixed by tightening up the spec (although in practice a test suite would be needed).

See: http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf

Other vulns have been known for many years, e.g. extracting a key by using a derive on it one bit at a time. Many of these are mitigated by the fact that no known implementation actually implements them.

Recommendations

If we feel a need to address a padded oracle attack, the following recommendation can be used: "To protect against chosen ciphertext attacks, like the Bleichenbacher attack, use PKCS #1 Version 2, with OAEP, and disable support for PKCS #1, Version 1.5"

SecurityWorkItems (last edited 2013-04-17 21:08:57 by chris.duane)