-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mark use of PKCS1v15
for encryption and decryption a vulnerability
#1071
Comments
Same thing applies to python-rsa package: sybrenstuvel/python-rsa#230 but then, use of any private keys with it is insecure: https://github.com/sybrenstuvel/python-rsa#security not just PKCS#1 v1.5 decryption |
Same thing applies to the M2Crypto library: https://gitlab.com/m2crypto/m2crypto/-/issues/342 |
The M2Crypto issue has been assigned CVE-2023-50781, the pyca/cryptography issue has been assigned CVE-2023-50782 |
@tomato42 you're saying that using I'm thinking of the many APIs exposed by tax authorities everywhere in the world, which often require RSA signatures for documents being submitted - and are verified on their side. The emitting side could implement signatures in Python without any knowledge of how they will be decrypted/verified. Would that be considered unsafe? Thanks! |
Because it's very unlikely that the decryption is implemented correctly.
I'm talking about encryption, not signatures. Signatures with PKCS1v1.5 padding are fine. |
@tomato42 Thanks for the clarifications. I'm asking because Bleichenbacher's paper describes how to apply the algorithm to forge an RSA signature as well. As I understand it, that comes from the fact that generating a RSASSA-PKCS1-v1_5 signature1 uses the private key in a manner that is similar to the decryption of a ciphertext. This is also described in section 3.4 of the ROBOT paper. That signature forgery attack is considered harder than for decryption because it requires the blinding first step described by Bleichenbauer, but it still seems possible with a working oracle. In this context, one might consider that RSASSA-PKCS1-v1_5 signature operations should be marked as vulnerabilities for roughly the same reasons as for decryption. And therefore the use of Thanks again :-) EDIT: Answering myself to avoid more noise. I think I see what I missed initially. The signature forgery attack works with the exact same oracle as the attack on the decryption. It needs the RSA exponentiation with the private exponent to be applied by the server, which is what happens when the server is decrypting a message. Footnotes |
yes, but moreover in the Bleichenbacher-like attack you need an oracle that tells you if the tested ciphertext decrypts to a plaintext that starts with specific bytes, in signing all inputs to the exponentiation start with specific bytes also, while there are side-channel attacks on the signing operation, they are independent of used padding: PKCS#1v1.5 will be just as vulnerable as RSA-PSS so, attacks on signatures and on encryption are completely different |
Is your feature request related to a problem? Please describe.
While
pyca/cryptography
is generally a high quality wrapper around OpenSSL, because of peculiarities of Python it is impossible to handle PKCS#1 v1.5 decryption failures in side channel free manner. As such, all usages of it will leak information useful in mounting the Bleichenbacher/Marvin attack: pyca/cryptography#9785Describe the solution you'd like
Any use of the
cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15
for decryption (or encryption) should be marked as vulnerabilities.Describe alternatives you've considered
it's impossible to handle exceptions in Python in side-channel free manner
the PKCS#1 v1.5 is known to be insecure for over 25 years at this point, it's high time to stop use of it
the alternative is to use RSA-OAEP encryption
Additional context
https://people.redhat.com/~hkario/marvin/
Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.
The text was updated successfully, but these errors were encountered: