ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Giger (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-413) EncryptedKey security issue with streaming code
Date Wed, 12 Dec 2012 11:25:21 GMT

    [ https://issues.apache.org/jira/browse/WSS-413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13529853#comment-13529853
] 

Marc Giger commented on WSS-413:
--------------------------------

Colm,

Do you think it is a problem if I handle this in santuario? I ask this because the whole thing
is implemented
in santuario and not in wss4j.

Btw, just as background information:
In the streaming code most keys are lazy initialized. That means the keys are not processed
when they are encountered but
when they are used. So in this concrete case there is just a very very small delay between
session key decryption and data
decryption with the session key. Of course it could still be exploited.

Marc
                
> EncryptedKey security issue with streaming code
> -----------------------------------------------
>
>                 Key: WSS-413
>                 URL: https://issues.apache.org/jira/browse/WSS-413
>             Project: WSS4J
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0
>
>
> Instead of throwing an exception when encountering a problem in processing an EncryptedKey,
we should instead generate a session key and attempt to decrypt the EncryptedData structure
instead (take a look at the DOM code here). This prevents timing attacks to see where the
error was in processing the key versus data.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message