Marvin Attack: potential key recovery through timing sidechannels

[sebadob]

The Rust rsa crate has been found vulnerable in some form to the Marvin Attack.
The maintainers are actively working on a fix for this in RSA/394 .

As soon as this fix is in place, Rauthy will be updated with the new version to mitigate this attack.
A change to something like boring will not be done, because I want to stay pure Rust as much as possible and the compilation to musl targets should not be broken (which would happen with C bindings like boring).

[sebadob]

Update:

The changes on the pure rust rsa crate seem to be quite a bit bigger.
This is not a big problem though, it only "looks ugly" to have this issue here.

The rsa crate is used by Rauthy for issuing and verifying RSA signed tokens, which do exist for compatibility only, while the default is EdDSA.
The crate is vulnerable to constant timing attacks with a medium severity. This could potentially leak information about the private key, if RSA operations are observable over the network.

This does not apply to Rauthy!

To take advantage of this issue, an attacker would need to observe the RSA operations while signing tokens, which is not possible, because this is done internally only.
The main target of this attack would be an RSA Key Exchange for instance.

This is the CVE for this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-49092