Commit eb5be5bd authored by Simo Sorce's avatar Simo Sorce

CVE-2016-6298: Million Messages Attack mitigation

RFC 3218 describes an oracle attack called Million Messages Attack
against RSA with PKCS1 v1.5 padding.

Depending on how JWEs are used a server may become an Oracle, and the
mitigation presecribed in RFC 3218 2.3.2 need to be implemented.

Many thanks to Dennis Detering for his responsible disclosure and help
verifying the mitigation approach.

Resolves #65
Signed-off-by: 's avatarSimo Sorce <>
Closes #66
parent 9282e1e9
......@@ -379,6 +379,23 @@ class _Rsa15(_RSA, JWAAlgorithm):
def __init__(self):
super(_Rsa15, self).__init__(padding.PKCS1v15())
def unwrap(self, key, bitsize, ek, headers):
# Address MMA attack by implementing RFC 3218 - 2.3.2. Random Filling
# provides a random cek that will cause the decryption engine to
# run to the end, but will fail decryption later.
# always generate a random cek so we spend roughly the
# same time as in the exception side of the branch
cek = _randombits(bitsize)
cek = super(_Rsa15, self).unwrap(key, bitsize, ek, headers)
# always raise so we always run through the exception handling
# code in all cases
raise Exception('Dummy')
except Exception: # pylint: disable=broad-except
return cek
class _RsaOaep(_RSA, JWAAlgorithm):
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment