Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Padding Oracles #11

Open
nsc opened this issue Jul 29, 2018 · 0 comments
Open

Padding Oracles #11

nsc opened this issue Jul 29, 2018 · 0 comments

Comments

@nsc
Copy link
Owner

nsc commented Jul 29, 2018

Part two of issue #9

Decoding for PKCS1v1.5 ciphertexts exits early if the first bytes of padding are incorrect.

SwiftTLS/SwiftTLS/Sources/Crypto/RSA-PKCS1.swift

Line 100 in f5010aa

if paddedData[0] != 0 || paddedData[1] != 2 {
which creates a padding oracle.

Similarly, when the PKCS1v1.5 ciphertext is decrypted, the server returns an error immediately

SwiftTLS/SwiftTLS/Sources/TLS/Protocol/TLS 1.2/TLS1_2.ServerProtocol.swift

Line 285 in f5010aa

preMasterSecret = try rsa.decrypt(encryptedPreMasterSecret)
which creates a padding oracle that doesn't even require a side channel to execute since an attacker knows the PKCSv1.5 ciphertext padding was valid iff the server does not abort the connection. The correct way to handle this is to first generate a random 48 byte premaster, then RSA decrypt, then if the RSA ciphertext was invalid carry on using the randomized premaster. Then there is no oracle for an attacker to use.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nsc