Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

README.md: add info about Marvin Attack (RUSTSEC-2023-0071) #391

Merged
merged 1 commit into from
Nov 28, 2023
Merged

README.md: add info about Marvin Attack (RUSTSEC-2023-0071) #391

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,16 +65,19 @@ There will be three phases before `1.0` 🚢 can be released.
- [ ] Fuzz testing
- [ ] Security Audits

## Security Notes
## ⚠️Security Warning

This crate has received one [security audit by Include Security][audit], with
only one minor finding which has since been addressed.

See the [open security issues] on our issue tracker for other known problems.

Notably the implementation of [modular exponentiation is not constant time],
~~Notably the implementation of [modular exponentiation is not constant time],
but timing variability is masked using [random blinding], a commonly used
technique.
technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable
private key recovery by a network attacker (see [RUSTSEC-2023-0071]).
Copy link
Member Author

@tarcieri tarcieri Nov 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should probably note that while the "Marvin Attack" itself only permits signing or decryption and not actual recovery of the private key, the timing variability of our core rsa_decrypt function seems severe enough that it's something worth warning about (also being able to do things the private key enables without recovering the private key isn't that much better of a situation)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. While Marvin Attack isn't about extraction of the RSA private key, lack of blinding on the RSA decryption operation and non-constant time numerical library used for the modular exponentiation mean that private key extraction is very likely possible. See references from Section 2 of https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/


You can follow our work on mitigating this issue in [#390].

## Minimum Supported Rust Version (MSRV)

Expand Down Expand Up @@ -118,3 +121,6 @@ dual licensed as above, without any additional terms or conditions.
[open security issues]: https://github.com/RustCrypto/RSA/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity
[modular exponentiation is not constant time]: https://github.com/RustCrypto/RSA/issues/19
[random blinding]: https://en.wikipedia.org/wiki/Blinding_(cryptography)
[Marvin Attack]: https://people.redhat.com/~hkario/marvin/
[RUSTSEC-2023-0071]: https://rustsec.org/advisories/RUSTSEC-2023-0071.html
[#390]: https://github.com/RustCrypto/RSA/issues/390