ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Giger (JIRA)" <>
Subject [jira] [Resolved] (WSS-413) EncryptedKey security issue with streaming code
Date Thu, 13 Dec 2012 13:20:12 GMT


Marc Giger resolved WSS-413.

    Resolution: Fixed
      Assignee: Marc Giger  (was: Colm O hEigeartaigh)

resolved in r1421261 in santuario.
Additional test in r1421285 in wss4j.
> EncryptedKey security issue with streaming code
> -----------------------------------------------
>                 Key: WSS-413
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Marc Giger
>             Fix For: 2.0
> Instead of throwing an exception when encountering a problem in processing an EncryptedKey,
we should instead generate a session key and attempt to decrypt the EncryptedData structure
instead (take a look at the DOM code here). This prevents timing attacks to see where the
error was in processing the key versus data.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message