portier / portier-broker

Portier Broker reference implementation, written in Rust
http://portier.github.io/
Apache License 2.0
557 stars 17 forks source link

RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels #822

Closed github-actions[bot] closed 6 months ago

github-actions[bot] commented 1 year ago

Marvin Attack: potential key recovery through timing sidechannels

Details
Package rsa
Version 0.9.2
URL https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
Date 2023-11-22

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

See advisory page for additional details.

stephank commented 1 year ago

Well that's annoying, but I believe impact is limited in Portier. User action can initiate JWT signing with RSA, but it's difficult to observe timing, because the entire flow has long latency: you have to do email verification or upstream OIDC verification, nonces prevent any reuse that could help speed up the attack, and we also have rate limits in place.

On top of this, our defaults are to rotate RSA keys daily, which is actually extremely often compared to other common usage of RSA, but might help us a little in this case.

From: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1830065981

While the attack requires the attacker to measure precisely the processing time of the ciphertext, one of the main contributions of the Marvin Attack paper is that it's is possible to measure differences of just few nanoseconds (billionth's of a second) even over the network. The ability to do that depends only of the number of measurements the attacker is able to perform, not on the size of the side channel.

The upstream issue also talks about rsa_decrypt, and I'm not sure how that relates to signing. But I'm just going to assume worst case, and it leaks just as bad.

Will update as soon as upstream makes a release, but again, hoping we're relatively safe because an attacker can't get enough samples in practice.

stephank commented 6 months ago

Fixed in v0.10.0. We now use AWS Libcrypto to generate RSA keypairs, and removed this dependency completely.