RFR: 8302017: Allocate BadPaddingException only if it will be thrown
Xue-Lei Andrew Fan
xuelei at openjdk.org
Fri Mar 24 17:38:21 UTC 2023
On Tue, 14 Mar 2023 21:58:46 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> May I get a chance to review it before the integration? I may need more time to dig into time-constant issue.
>
>> May I get a chance to review it before the integration? I may need more time to dig into time-constant issue.
>
> If I read the Bleichenbacher's Attack[[1]](https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf)[[2]](https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25)[[3]](https://asecuritysite.com/encryption/c_c3) right, the attack works if it can tell the difference between good conditions and error conditions. RFC 8017 says "distinguish the different error conditions", but it may be parsed differently for various context. Please be careful about this update.
>
> Thank you for giving me more time to look into the details.
> @XueleiFan are you still looking into the details of this change?
I'm not sure this update is safe. It would be good (it is possible) to have an improvement that there is no timing differences between success and failure by not using exception in unpad() implementation any longer.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/12732#issuecomment-1483174451
More information about the security-dev
mailing list