README.md: add info about Marvin Attack (RUSTSEC-2023-0071) #391
Conversation
| but timing variability is masked using [random blinding], a commonly used | ||
| technique. | ||
| technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable | ||
| private key recovery by a network attacker (see [RUSTSEC-2023-0071]). |
There was a problem hiding this comment.
I should probably note that while the "Marvin Attack" itself only permits signing or decryption and not actual recovery of the private key, the timing variability of our core rsa_decrypt function seems severe enough that it's something worth warning about (also being able to do things the private key enables without recovering the private key isn't that much better of a situation)
There was a problem hiding this comment.
Correct. While Marvin Attack isn't about extraction of the RSA private key, lack of blinding on the RSA decryption operation and non-constant time numerical library used for the modular exponentiation mean that private key extraction is very likely possible. See references from Section 2 of https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/
References: