Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use SHA256 instead of XOR to combine x509pop nonces #562

Merged
merged 1 commit into from
Aug 20, 2018
Merged

use SHA256 instead of XOR to combine x509pop nonces #562

merged 1 commit into from
Aug 20, 2018

Conversation

azdagron
Copy link
Member

XOR allows for a malicious agent to fake key possession by finding an
existing set of plaintext + signature generated by the key and choosing
a nonce that will produce the plaintext when XOR'd with the server
nonce.

Swapping to SHA256 prevents the attacker from choosing a nonce that
hashes to the plaintext.

Many thanks to @enricoschiattarella for pointing this out.

@azdagron
use SHA256 instead of XOR to combine x509pop nonces
88a1626 
XOR allows for a malicious agent to fake key possession by finding an
existing set of plaintext + signature generated by the key and choosing
a nonce that will produce the plaintext when XOR'd with the server
nonce.

Swapping to SHA256 prevents the attacker from choosing a nonce that
hashes to the plaintext.

Signed-off-by: Andrew Harding <azdagron@gmail.com>
enricoschiattarella
enricoschiattarella approved these changes Aug 20, 2018
View reviewed changes
Copy link
Contributor

@enricoschiattarella enricoschiattarella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@azdagron azdagron merged commit 5795105 into spiffe:master Aug 20, 2018
@azdagron azdagron deleted the use-sha256-to-combine-nonce branch August 20, 2018 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evan2645 evan2645 evan2645 approved these changes

@enricoschiattarella enricoschiattarella enricoschiattarella approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@MarcosDY MarcosDY Awaiting requested review from MarcosDY

@martincapello martincapello Awaiting requested review from martincapello

@walmav walmav Awaiting requested review from walmav

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@azdagron @evan2645 @enricoschiattarella