diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2020-12-06 23:12:44 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-06 22:12:44 -0600 |
| commit | 8686d524b7b890bcbe6132b774bd72a3ae37cf0d (patch) | |
| tree | 59b8e35c9636116919b4d6fae79b0e29546d3f7c /docs | |
| parent | 1be144acc6b46ae2ece459d80a20831ac2ac1c74 (diff) | |
| download | cryptography-8686d524b7b890bcbe6132b774bd72a3ae37cf0d.tar.gz | |
Document that PKCS1v1.5 is not constant time (#5600)
closes #5510
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/rsa.rst | 5 | ||||
| -rw-r--r-- | docs/limitations.rst | 20 |
2 files changed, 25 insertions, 0 deletions
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index b8060e474..fe3930fec 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -342,6 +342,11 @@ Padding :class:`OAEP` should be preferred for encryption and :class:`PSS` should be preferred for signatures. + .. warning:: + + Our implementation of PKCS1 v1.5 decryption is not constant time. See + :doc:`/limitations` for details. + .. function:: calculate_max_pss_salt_length(key, hash_algorithm) diff --git a/docs/limitations.rst b/docs/limitations.rst index 092d8a7cf..5763ecd40 100644 --- a/docs/limitations.rst +++ b/docs/limitations.rst @@ -20,5 +20,25 @@ like almost all software in Python is potentially vulnerable to this attack. The Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not consider this a high risk for most users. +RSA PKCS1 v1.5 constant time decryption +--------------------------------------- + +RSA decryption has several different modes, one of which is PKCS1 v1.5. When +used in online contexts, a secure protocol implementation requires that peers +not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded, +even by timing variability. + +``cryptography`` does not provide an API that makes this possible, due to the +fact that RSA decryption raises an exception on failure, which takes a +different amount of time than returning a value in the success case. + +For this reason, at present, we recommend not implementing online protocols +that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this +limitation, such protocols generally have poor security properties due to their +lack of forward security. + +If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should +contribute one to ``cryptography``. + .. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223 .. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources |