You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org> on 2010/10/01 03:14:33 UTC
[jira] Resolved: (MYFACES-2934) Side-channel timing attack in
StateUtils class may still allow padding oracle attack
[ https://issues.apache.org/jira/browse/MYFACES-2934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leonardo Uribe resolved MYFACES-2934.
-------------------------------------
Assignee: Leonardo Uribe
Fix Version/s: 1.1.9-SNAPSHOT
1.2.10-SNAPSHOT
2.0.3-SNAPSHOT
Resolution: Fixed
I just removed the break, and left a message to prevent remove developers to remove that code.
Thanks to Kevin W. Wall for this report.
> Side-channel timing attack in StateUtils class may still allow padding oracle attack
> ------------------------------------------------------------------------------------
>
> Key: MYFACES-2934
> URL: https://issues.apache.org/jira/browse/MYFACES-2934
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 1.2.9
> Environment: All using MyFaces 1.2.9
> Reporter: Kevin W. Wall
> Assignee: Leonardo Uribe
> Priority: Minor
> Fix For: 1.1.9-SNAPSHOT, 1.2.10-SNAPSHOT, 2.0.3-SNAPSHOT
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> [FYI: I'm the person who fixed the padding oracle attack in ESAPI 2.0-rc# crypto which is why I spotted this.]
> I did a quick code inspection of encrypt() / decrypt() methods in org.apache.myfaces.shared_impl.util.StateUtils as it relates to the fix for MYFACES-2749. Most everything is done correct (MAC is over IV+ciphertext and checked before decryption), but I noticed a subtle flaw that, at least in theory (or enough data gathering and statistical analysis), that opens a side-channel timing attack that might be still be used as a oracle in a padded oracle attack such as described by Duong and Rizzo.
> The problem is in the 'for' loop at lines 471-478 in StateUtils.java. You need to compare ALWAYS compare ALL the bytes in the MAC to ensure a timing side-channel attack cannot be used to as an oracle in the padding oracle attack.
> Contact me at kevin.w.wall@gmail.com if you need more info or want to see how it was fixed in OWASP ESAPI.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.