diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2022-10-12 11:14:56 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-12 11:14:56 -0400 |
| commit | 34412de1b28eb268be959a79d754cb64a6c8bb79 (patch) | |
| tree | c78ecb1199ec5531e3a53ff00c1bd59b17c24206 /docs | |
| parent | 7a22e6262b5760994b1ad663aa33fff2bdf55bcc (diff) | |
| download | cryptography-34412de1b28eb268be959a79d754cb64a6c8bb79.tar.gz | |
more warnings and context around RSA online decryption (#7699)
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/rsa.rst | 5 | ||||
| -rw-r--r-- | docs/limitations.rst | 16 |
2 files changed, 14 insertions, 7 deletions
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 2dfccb1a0..384cab073 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -555,6 +555,11 @@ Key interfaces .. versionadded:: 0.4 + .. warning:: + + Our implementation of PKCS1 v1.5 decryption is not constant time. See + :doc:`/limitations` for details. + Decrypt data that was encrypted with the public key. :param bytes ciphertext: The ciphertext to decrypt. diff --git a/docs/limitations.rst b/docs/limitations.rst index 227ed6cd7..3f43c743c 100644 --- a/docs/limitations.rst +++ b/docs/limitations.rst @@ -24,21 +24,23 @@ RSA PKCS1 v1.5 constant time decryption --------------------------------------- RSA decryption has several different modes, one of which is PKCS1 v1.5. When -used in online contexts, a secure protocol implementation requires that peers -not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded, -even by timing variability. +used in **online contexts**, a secure protocol implementation requires that +peers not be able to tell whether RSA PKCS1 v1.5 decryption failed or +succeeded, even by timing variability. ``cryptography`` does not provide an API that makes this possible, due to the fact that RSA decryption raises an exception on failure, which takes a different amount of time than returning a value in the success case. -For this reason, at present, we recommend not implementing online protocols +Fixing this would require a new API in ``cryptography``, but OpenSSL does +not expose an API for straightforwardly implementing this while reusing +its own constant-time logic. See `issue 6167`_ for more information. + +For this reason we recommend not implementing online protocols that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this limitation, such protocols generally have poor security properties due to their lack of forward security. -If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should -contribute one to ``cryptography``. - .. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223 .. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources +.. _`issue 6167`: https://github.com/pyca/cryptography/issues/6167#issuecomment-1276151799
\ No newline at end of file |