Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MASWE-0023] Weak Padding #2922

Open
wants to merge 17 commits into
base: master
Choose a base branch
from

Conversation

jmariasantosdekra
Copy link
Collaborator

This PR closes #2587.

Copy link
Collaborator

@cpholguera cpholguera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First quick round of review. Thanks @jmariasantosdekra!

- NoPadding
- PKCS1-v1_5
status: draft

---
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
---
status: new
---

---

## Overview

Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, such as NIST SP 800-56B are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as padding oracle attacks.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is NIST SP 800-56B the right one? Please double check and add an inline link.

Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography

This Recommendation specifies key-establishment schemes using integer factorization cryptography (in particular, RSA). Both key-agreement and key transport schemes are specified for pairs of entities, and methods for key confirmation are included to provide assurance that both parties share the same keying material. In addition, the security properties associated with each scheme are provided.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please add an inline link for "padding oracle attacks"

Comment on lines 25 to 26
Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't require intros here.

Suggested change
Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to:

Comment on lines 27 to 29
- **Data breaches**: Weak padding can lead to unauthorized access to sensitive data, resulting in data breaches.
- **Loss of data integrity**: Padding attacks may aid attackers in manipulating ciphertext, leading to unauthorized data modifications.
- **Compromised confidentiality**: Weak padding may aid attackers in recovering plaintext from encrypted data.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to shortly explain how each thing could happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[MASWE-0023] Weak Padding
2 participants