myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin W. Wall (JIRA)" <...@myfaces.apache.org>
Subject [jira] Created: (MYFACES-2934) Side-channel timing attack in StateUtils class may still allow padding oracle attack
Date Thu, 30 Sep 2010 17:02:33 GMT
Side-channel timing attack in StateUtils class may still allow padding oracle attack
------------------------------------------------------------------------------------

                 Key: MYFACES-2934
                 URL: https://issues.apache.org/jira/browse/MYFACES-2934
             Project: MyFaces Core
          Issue Type: Bug
    Affects Versions: 1.2.9
         Environment: All using MyFaces 1.2.9
            Reporter: Kevin W. Wall


[FYI: I'm the person who fixed the padding oracle attack in ESAPI 2.0-rc# crypto which is
why I spotted this.]

I did a quick code inspection of encrypt() / decrypt() methods in org.apache.myfaces.shared_impl.util.StateUtils
as it relates to the fix for MYFACES-2749.  Most everything is done correct (MAC is over IV+ciphertext
and checked before decryption), but I noticed a subtle flaw that, at least in theory (or enough
data gathering and statistical analysis), that opens a side-channel timing attack that might
be still be used as a oracle in a padded oracle attack such as described by Duong and Rizzo.

The problem is in the 'for' loop at lines 471-478 in StateUtils.java. You need to compare
ALWAYS compare ALL the bytes in the MAC to ensure a timing side-channel attack cannot be used
to as an oracle in the padding oracle attack.

Contact me at kevin.w.wall@gmail.com if you need more info or want to see how it was fixed
in OWASP ESAPI.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message