Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys #1445

Merged
merged 8 commits into from Jan 19, 2022
Merged

Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys #1445

merged 8 commits into from Jan 19, 2022

Conversation

larabr
Copy link
Collaborator

@larabr larabr commented Dec 1, 2021

Implement optional constant-time decryption flow to hinder Bleichenbacher-like attacks against RSA- and ElGamal public-key encrypted session keys.

Changes:

  • Add config.constantTimePKCS1Decryption to enable the constant-time processing (defaults to false). The constant-time option is off by default since it has measurable performance impact on message decryption, and it is only helpful in specific application scenarios (more info below).
  • Add config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms (defaults to the AES algorithms). The set of supported ciphers is restricted by default since the number of algorithms negatively affects performance.

Bleichenbacher-like attacks are of concern for applications where both of the following conditions are met:

  1. new/incoming messages are automatically decrypted (without user interaction);
  2. an attacker can determine how long it takes to decrypt each message (e.g. due to decryption errors being logged remotely).

larabr
larabr commented Dec 1, 2021
View reviewed changes
src/crypto/public_key/rsa.js
@@ -473,11 +476,14 @@ async function nodeDecrypt(data, n, e, d, p, q, u) {
try {
return new Uint8Array(nodeCrypto.privateDecrypt(key, data));
} catch (err) {
if (randomPayload) {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not ideal, but I don't think we can do better than this

@larabr larabr requested a review from twiss December 1, 2021 16:21
twiss
twiss reviewed Dec 1, 2021
View reviewed changes
src/crypto/pkcs1.js Outdated Show resolved Hide resolved
src/packet/public_key_encrypted_session_key.js Outdated Show resolved Hide resolved
larabr and others added 2 commits December 2, 2021 12:17
@larabr
Check checksum in constant time
9031105
@larabr @twiss
Fix typo in comment [skip ci]
b96a33f 
Co-authored-by: Daniel Huigens <d.huigens@protonmail.com>
This was referenced Jan 17, 2022
Open
Open
Open
Open
@larabr larabr merged commit 22a6887 into openpgpjs:main Jan 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twiss twiss twiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@larabr @twiss