Security flaws in SealedObjects

Ilan Zohar (ilanz@leland.Stanford.EDU)
Mon, 08 Mar 1999 18:07:38 -0800

Date: Mon, 08 Mar 1999 18:07:38 -0800
From: Ilan Zohar <ilanz@leland.Stanford.EDU>
To: java-security@java.sun.com
Subject: Security flaws in SealedObjects

This is a multi-part message in MIME format.
--------------367B3BA0FCEB5362B7913B2F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,
I am a graduate student in Stanford University.
I've been using JCE 1.2 and I really enjoy it. I found out that the most
convenient way to use encryption/decryption is to use the Sealed Object
class.
However,.. since java safety design made led the JCE designer to insert
the object's full desciption in the SealedObject objects , decreasing
the entropy of the ciphertext and hence the security of its use.
moreover since Java throws an exception whenever the decryption fails,
the java run time system can be used as an Oracle to leak information
about the cipher text, which clearly against the intent of the
encryption users.

Thanks,

Ilan Zohar
ilanz@leland.stanford.edu
Computer Systems Laboratory
Stanford University

--------------367B3BA0FCEB5362B7913B2F
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Description: Card for Ilan Zohar
Content-Disposition: attachment; filename="vcard.vcf"
Content-Transfer-Encoding: 7bit

begin: vcard
fn: Ilan Zohar
n: Zohar;Ilan
org: CSL, Stanford University
adr: 704 Campus DR APT 2G;;;Stanford;CA;94305-7567;USA
email;internet: ilanz@leland.stanford.edu
tel;work: 650-723-9445
tel;home: 650-497-4638
x-mozilla-cpt: ;7776
x-mozilla-html: TRUE
version: 2.1
end: vcard

--------------367B3BA0FCEB5362B7913B2F--