ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Commented] (WSS-413) EncryptedKey security issue with streaming code
Date Wed, 12 Dec 2012 16:19:21 GMT


Colm O hEigeartaigh commented on WSS-413:

No problem with handling this in Santuario.

> EncryptedKey security issue with streaming code
> -----------------------------------------------
>                 Key: WSS-413
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0
> Instead of throwing an exception when encountering a problem in processing an EncryptedKey,
we should instead generate a session key and attempt to decrypt the EncryptedData structure
instead (take a look at the DOM code here). This prevents timing attacks to see where the
error was in processing the key versus data.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message