From 5d45065bd8b3474399e5575abde74bfd246d568b Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 28 Nov 2023 12:34:13 -0700 Subject: [PATCH] README.md: add info about Marvin Attack (RUSTSEC-2023-0071) (#391) References: - https://github.com/RustCrypto/RSA/issues/19 - https://rustsec.org/advisories/RUSTSEC-2023-0071.html - https://people.redhat.com/~hkario/marvin/ --- README.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1256e965..6f191df0 100644 --- a/README.md +++ b/README.md @@ -65,16 +65,19 @@ There will be three phases before `1.0` 🚢 can be released. - [ ] Fuzz testing - [ ] Security Audits -## Security Notes +## ⚠️Security Warning This crate has received one [security audit by Include Security][audit], with only one minor finding which has since been addressed. See the [open security issues] on our issue tracker for other known problems. -Notably the implementation of [modular exponentiation is not constant time], +~~Notably the implementation of [modular exponentiation is not constant time], but timing variability is masked using [random blinding], a commonly used -technique. +technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable +private key recovery by a network attacker (see [RUSTSEC-2023-0071]). + +You can follow our work on mitigating this issue in [#390]. ## Minimum Supported Rust Version (MSRV) @@ -118,3 +121,6 @@ dual licensed as above, without any additional terms or conditions. [open security issues]: https://github.com/RustCrypto/RSA/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity [modular exponentiation is not constant time]: https://github.com/RustCrypto/RSA/issues/19 [random blinding]: https://en.wikipedia.org/wiki/Blinding_(cryptography) +[Marvin Attack]: https://people.redhat.com/~hkario/marvin/ +[RUSTSEC-2023-0071]: https://rustsec.org/advisories/RUSTSEC-2023-0071.html +[#390]: https://github.com/RustCrypto/RSA/issues/390