Open
Bug 1479487
Opened 6 years ago
Updated 2 years ago
WebCrypto Design issue for AES GCM
Categories
(Core :: DOM: Web Crypto, defect, P3)
Tracking
()
NEW
People
(Reporter: antonio.sanso, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [domsecurity-backlog2] )
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180704003137 Steps to reproduce: Instant Demo in https://asanso.github.io/firefox/aesgcm.html Actual results: IMHO the Webcrypto API has a design issue (at least in the AES GCM case). As you might see from the code in https://asanso.github.io/firefox/aesgcm.html I have created a wrapping key that has only ["wrapKey" ] usage. It should not be possible to recover back the aeskey using ["unwrapKey" ]. This is indeed the case. But given the fact the Webcrypto API allow to pass an explicit IV it is trivial in the AES GCM to recover back the aes key using "wrapKey" again. See https://cryptosense.com/blog/attacks-on-key-wrapping-in-pkcs11-v2-40/ for the equivalent issue in the HSM case.
Comment 1•6 years ago
|
||
Franziskus, can you involve the right people here now that Tim's gone?
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(franziskuskiefer)
Product: Firefox → Core
Comment 2•6 years ago
|
||
I guess I'm the right people. Thanks Antonia for reporting. I agree this isn't great but it's a spec issue rather than a Firefox issue. I don't see anything in the spec that would allow us to ignore the IV when wrapping keys. I filed a spec issue to add a note on IV re-use issues.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(franziskuskiefer)
Whiteboard: [domsecurity-backlog2]
Updated•6 years ago
|
Blocks: web-crypto
Comment 3•6 years ago
|
||
Wasn't the whole point of the WebCrypto "subtle" naming to point out that you can really screw up everything in there if you don't know what you're doing? There were those who didn't even want any of that to be in the API, just a foolproof simple API with safe defaults--but that wouldn't allow people to write crypto that interfaced with existing implementations. Since the issue is public on github (and likely argued about during the writing of the spec) we don't need to keep this hidden.
Group: dom-core-security
See Also: → https://github.com/w3c/webcrypto/issues/209
Updated•6 years ago
|
Priority: -- → P3
Updated•5 years ago
|
Component: DOM: Security → DOM: Web Crypto
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•