Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2016-6298: Million Messages Attack mitigation
RFC 3218 describes an oracle attack called Million Messages Attack
against RSA with PKCS1 v1.5 padding.

Depending on how JWEs are used a server may become an Oracle, and the
mitigation presecribed in RFC 3218 2.3.2 need to be implemented.

Many thanks to Dennis Detering for his responsible disclosure and help
verifying the mitigation approach.

Resolves #65
Signed-off-by: Simo Sorce <simo@redhat.com>
Closes #66
  • Loading branch information
simo5 committed Aug 31, 2016
1 parent 9282e1e commit eb5be5b
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions jwcrypto/jwa.py
Expand Up @@ -379,6 +379,23 @@ class _Rsa15(_RSA, JWAAlgorithm):
def __init__(self):
super(_Rsa15, self).__init__(padding.PKCS1v15())

def unwrap(self, key, bitsize, ek, headers):
self._check_key(key)
# Address MMA attack by implementing RFC 3218 - 2.3.2. Random Filling
# provides a random cek that will cause the decryption engine to
# run to the end, but will fail decryption later.

# always generate a random cek so we spend roughly the
# same time as in the exception side of the branch
cek = _randombits(bitsize)
try:
cek = super(_Rsa15, self).unwrap(key, bitsize, ek, headers)
# always raise so we always run through the exception handling
# code in all cases
raise Exception('Dummy')
except Exception: # pylint: disable=broad-except
return cek


class _RsaOaep(_RSA, JWAAlgorithm):

Expand Down

0 comments on commit eb5be5b

Please sign in to comment.