Article 5YCG5 Major cryptography blunder in Java enables “psychic paper” forgeries

Major cryptography blunder in Java enables “psychic paper” forgeries

by
Dan Goodin
from Ars Technica - All content on (#5YCG5)
broken-lock-800x513.jpeg

Enlarge (credit: Getty Images)

Organizations using newer versions of Oracle's Java framework woke up on Wednesday to a disquieting advisory: A critical vulnerability can make it easy for adversaries to forge TLS certificates and signatures, two-factor authentication messages, and authorization credentials generated by a range of widely used open standards.

The vulnerability, which Oracle patched on Tuesday, affects the company's implementation of the Elliptic Curve Digital Signature Algorithm in Java versions 15 and above. ECDSA is an algorithm that uses the principles of elliptic curve cryptography to authenticate messages digitally. A key advantage of ECDSA is the smaller size of the keys it generates, compared to RSA or other crypto algorithms, making it ideal for use in standards including FIDO-based 2FA, the Security Assertion Markup Language, OpenID, and JSON.

Doctor Who and the psychic paper

Neil Madden, the researcher at security firm ForgeRock who discovered the vulnerability, likened it to the blank identity cards that make regular appearances in the sci-fi show Doctor Who. The psychic paper the cards are made of causes the person looking at it to see whatever the protagonist wants them to see.

Read 12 remaining paragraphs | Comments

index?i=TyHRzGO-BSI:reJhG_nFkss:V_sGLiPB index?i=TyHRzGO-BSI:reJhG_nFkss:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments