Page MenuHome GnuPG
Create Task
Maniphest T7136

libgcrypt: Implement constant-time RSA decryption (Marvin attack fix)
Open, LowPublic
Actions

Description

This was previously filled in gitlab mirror, but re-posting rebased patches based on initial feedback here:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17

The current MPI code is not constant time, potentially leaking plaintext
when the attacker can observe enough decipher operations using RSA
PKCS#1.5. This is described as a Marvin Attack:

The changes are likely not complete as there are still some timing leaks detected, but if needed I can follow-up.

libgcrypt-marvin.patch31 KBDownload

Details

Version
master

Event Timeline

Jakuje created this task.Tue, May 28, 7:07 PM
jukivili added a subscriber: jukivili.Wed, May 29, 8:01 AM

I left review comments in gitlab. One additional concern is license for mpi-mul-cs.c, original code not having copyright information... "does not have any copyright information, assuming public domain".

werner triaged this task as Low priority.Wed, May 29, 8:22 AM
werner added subscribers: gniibe, werner.

We discussed this forth and back with the RedHat people at our jour-fix to explain that the Kairo fix is done at the wrong layer - this needs to be done at the protocol layer and not in the building blocks. This is not covered by our security policy and @gniibe already came up with some extra support to help at the protocol layer. There are only a few use cases where this side-channel or the Minerva one (for ECDSA) should be considered (e.g. time stamping services). Generally required protection against DoS are also pat of the mitigation.

Thus set the priority to low.

Jakuje added a comment.Wed, May 29, 3:03 PM

I left review comments in gitlab.

Thank you!

One additional concern is license for mpi-mul-cs.c, original code not having copyright information... "does not have any copyright information, assuming public domain".

Just discussed with Hubert that the license is not specified and he is happy to provide it under any license you would need.