Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

README.md: add info about Marvin Attack (RUSTSEC-2023-0071) #391

Merged
merged 1 commit into from
Nov 28, 2023

Conversation

@tarcieri tarcieri merged commit 5d45065 into master Nov 28, 2023
9 checks passed
@tarcieri tarcieri deleted the readme/RUSTSEC-2023-0071 branch November 28, 2023 19:34
but timing variability is masked using [random blinding], a commonly used
technique.
technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable
private key recovery by a network attacker (see [RUSTSEC-2023-0071]).
Copy link
Member Author

@tarcieri tarcieri Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should probably note that while the "Marvin Attack" itself only permits signing or decryption and not actual recovery of the private key, the timing variability of our core rsa_decrypt function seems severe enough that it's something worth warning about (also being able to do things the private key enables without recovering the private key isn't that much better of a situation)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. While Marvin Attack isn't about extraction of the RSA private key, lack of blinding on the RSA decryption operation and non-constant time numerical library used for the modular exponentiation mean that private key extraction is very likely possible. See references from Section 2 of https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants