Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels #822

Closed
github-actions bot opened this issue Nov 29, 2023 · 2 comments
Closed

RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels #822

github-actions bot opened this issue Nov 29, 2023 · 2 comments

Comments

@github-actions
Copy link
Contributor

Marvin Attack: potential key recovery through timing sidechannels

Details
Package rsa
Version 0.9.2
URL RustCrypto/RSA#19 (comment)
Date 2023-11-22

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

See advisory page for additional details.
@stephank
Copy link
Member

stephank commented Nov 29, 2023
edited

Well that's annoying, but I believe impact is limited in Portier. User action can initiate JWT signing with RSA, but it's difficult to observe timing, because the entire flow has long latency: you have to do email verification or upstream OIDC verification, nonces prevent any reuse that could help speed up the attack, and we also have rate limits in place.

On top of this, our defaults are to rotate RSA keys daily, which is actually extremely often compared to other common usage of RSA, but might help us a little in this case.

From: RustCrypto/RSA#19 (comment)

While the attack requires the attacker to measure precisely the processing time of the ciphertext, one of the main contributions of the Marvin Attack paper is that it's is possible to measure differences of just few nanoseconds (billionth's of a second) even over the network. The ability to do that depends only of the number of measurements the attacker is able to perform, not on the size of the side channel.

The upstream issue also talks about rsa_decrypt, and I'm not sure how that relates to signing. But I'm just going to assume worst case, and it leaks just as bad.

Will update as soon as upstream makes a release, but again, hoping we're relatively safe because an attacker can't get enough samples in practice.

@stephank
Copy link
Member

Fixed in v0.10.0. We now use AWS Libcrypto to generate RSA keypairs, and removed this dependency completely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stephank