-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels #822
Comments
Well that's annoying, but I believe impact is limited in Portier. User action can initiate JWT signing with RSA, but it's difficult to observe timing, because the entire flow has long latency: you have to do email verification or upstream OIDC verification, nonces prevent any reuse that could help speed up the attack, and we also have rate limits in place. On top of this, our defaults are to rotate RSA keys daily, which is actually extremely often compared to other common usage of RSA, but might help us a little in this case. From: RustCrypto/RSA#19 (comment)
The upstream issue also talks about Will update as soon as upstream makes a release, but again, hoping we're relatively safe because an attacker can't get enough samples in practice. |
Fixed in v0.10.0. We now use AWS Libcrypto to generate RSA keypairs, and removed this dependency completely. |
rsa
0.9.2
Impact
Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.
Patches
No patch is yet available, however work is underway to migrate to a fully constant-time implementation.
Workarounds
The only currently available workaround is to avoid using the
rsa
crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.References
This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: