Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Side-Channel on Base64?! #1

Open
inkeliz opened this issue Nov 3, 2018 · 0 comments
Open

Side-Channel on Base64?! #1

inkeliz opened this issue Nov 3, 2018 · 0 comments

Comments

@inkeliz
Copy link

inkeliz commented Nov 3, 2018

Looking the source code it uses the base64.RawURLEncoding:

webcrypto/ecdsa/ecdsa.go

Lines 18 to 20 in be3d31d

"x": base64.RawURLEncoding.EncodeToString(prv.X.Bytes()),
"y": base64.RawURLEncoding.EncodeToString(prv.Y.Bytes()),
"d": base64.RawURLEncoding.EncodeToString(prv.D.Bytes()),

It uses a table-lookup. Since this lookup is not constant-time, maybe can leak some information about the encoded value, the key itself.

I don't know if a pratical attack already exist at this time, but othres already spot the same problem. Some libraries alraedy uses a constant-time decoding/encoding;

LibSodium:

The function always returns hex. It evaluates in constant time for a given size.

BoringSSL:

Since PEM is sometimes used to carry private keys, we decode base64 data itself in constant-time.

Should webcrypto uses this kind of functions?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@inkeliz