-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base64 Malleability protection - support for canonical decoder #182
Comments
Thanks for the report. It looks like optionally detecting invalid padding is what's needed to allow canonical decoding, if I'm reading this correctly. |
Yes exactly, padding rules should be consistent and always return an error if it's not canonical. The same input should always be successfully decoded from a single base64 representation (its canonical format). Feel free to use the test vectors from the paper as well, we'll soon add more official ones. |
Another place that a canonical decoder mode would be useful is implementing the strict parsing of RFC 7468 PEM-style text encodings. I myself believed that I was correctly implementing the above with this crate, because |
See what you think of #198. Does it fully address your concerns? |
Released in 0.20.0. @kchalkias let me know if this implementation doesn't fully address the issue. |
Thanks @marshallpierce, will test behavior, please feel free to also have a test using the test-vectors provided in the paper in table 2: https://eprint.iacr.org/2022/361.pdf (will open an issue just for tracking) |
Although the related Base64 RFC allows for non-canonical implementations, there exist many applications where canonicity is of high importance. Current implementation does not provide a
canonical_decode
mode and the recent AsiaCCS 2022 paper https://eprint.iacr.org/2022/361 (from Mysten Labs, Facebook research and GMU) compares thisbase64
crate with thebase64ct
one.A number of real world attacks have been identified already:
--- I happen to lead this research, quoting some of the attacks we actually performed live in large scale systems ---
The text was updated successfully, but these errors were encountered: