Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Design an API for safer RSA PKCS#1v1.5 decryption of session keys #5510

Closed
alex opened this issue Oct 26, 2020 · 8 comments · Fixed by #5600
Closed

Design an API for safer RSA PKCS#1v1.5 decryption of session keys #5510

alex opened this issue Oct 26, 2020 · 8 comments · Fixed by #5600
Labels
api design primitives security-hardening
Milestone
Thirty Third Release

Comments

@alex
Copy link
Member

alex commented Oct 26, 2020

To protect against bleichbacher attackers. Probably modeled on https://golang.org/pkg/crypto/rsa/#DecryptPKCS1v15SessionKey
@alex alex added this to the Thirty Third Release milestone Oct 26, 2020
@tomato42
Copy link

Alternatively, something like RSA_padding_check_PKCS1_type_2 from OpenSSL https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_pk1.c#L170

alex added a commit to alex/cryptography that referenced this issue Dec 7, 2020
@alex
Document that PKCS1v1.5 is not constant time
5cdb961 
closes pyca#5510
@alex alex mentioned this issue Dec 7, 2020
Merged
alex added a commit to alex/cryptography that referenced this issue Dec 7, 2020
@alex
Document that PKCS1v1.5 is not constant time
a003d4e 
closes pyca#5510
alex added a commit to alex/cryptography that referenced this issue Dec 7, 2020
@alex
Document that PKCS1v1.5 is not constant time
1ac4759 
closes pyca#5510
reaperhulk pushed a commit that referenced this issue Dec 7, 2020
@alex
Document that PKCS1v1.5 is not constant time (#5600)
8686d52 
closes #5510
@tomato42
Copy link

tomato42 commented Dec 7, 2020

@alex how users will know that they need to contribute a safe implementation?

@alex
Copy link
Member Author

alex commented Dec 7, 2020

We've tried to lay out clearly in the docs the contexts in which this is required. If you think there's room to improve the docs, we're happy to make changes.

@tomato42
Copy link

tomato42 commented Dec 7, 2020

@alex yes, it's clear and it's arguably correct; the problem is that unless there's an unfixed CVE, dependents generally don't look into the state of libraries they depend on

so they will continue to use a known unsafe API without knowing that it is unsafe

@alex
Copy link
Member Author

alex commented Dec 7, 2020

That was always going to be the case: You can't have a constant-time API that works the way our current API does, you need a dedicated API for the session key use case, like Go does. So users in these contexts were always going to need to take some specific action.

If there are libraries implementing, for example, TLS with RSA key exchange on top of cryptography, the correct thing is to obtain a CVE against them and then work with us to implement this API.

After research @reaperhulk and I decided that because RSA key exchange is so disfavored for a multitude of reasons, we were not inclined to invest in this unless there was a compelling and concrete use case.

@tomato42
Copy link

tomato42 commented Dec 7, 2020

@alex so you don't think that the design I described in openssl/openssl#13421 would work? can you say why?

@alex
Copy link
Member Author

alex commented Dec 7, 2020 via email

@tomato42
Copy link

tomato42 commented Dec 7, 2020
edited
Loading

@alex "novel" - fair enough
"changes our public API" - how? a malformed RSA ciphertext doesn't guarantee a decryption failure

This was referenced Dec 7, 2020
Open
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api design primitives security-hardening
Milestone
Thirty Third Release
Development

Successfully merging a pull request may close this issue.

Document that PKCS1v1.5 is not constant time alex/cryptography
2 participants
@alex @tomato42