Implement implicit rejection for PKCS#1.5 decipher
This is built on top of !17 (and relevant to this change is only the last commit -- the rest is from the previous MR).
This implements the Implicit rejection as described in the following IETF draft, including test vectors:
https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-guidance-00.html
It avoids the side-channel leaks by the calling application that checks the return value after the call to gcry_pk_decrypt()
by returning synthetic response.
Merge request reports
Activity
added 15 commits
-
062f0643...89adba45 - 2 commits from branch
redhat-crypto/libgcrypt:master
- 89adba45...e8c7b08a - 3 earlier commits
- ba585b02 - ci: Remove CentOS 8 Stream build
- 8cebc9ce - tests: Remove needless PKCS#1.5 encryption and decryption parameters
- 6b6dd1c3 - rsa: Do not accept invalid PKCS#1.5 padding when deciphering
- 067754b7 - rsa: Constant time blinding removal
- d53f8b64 - Constant time conversion of the message to the SEXP
- 75579edc - ci: Run with --enable-marvin-workaround
- 79bcb76b - rsa: Implement constant-time conversion of MPI to string
- 40439e26 - cipher: Use the constant time conversion also for OAEP
- 70e52a96 - Implement implicit rejection for PKCS#1.5 decipher
- 6a9db1de - ct: Use volatile to move data in buffer
Toggle commit list-
062f0643...89adba45 - 2 commits from branch
added 10 commits
- df3765db - tests: Remove needless PKCS#1.5 encryption and decryption parameters
- fa9c483f - rsa: Do not accept invalid PKCS#1.5 padding when deciphering
- 1f14f2ec - rsa: Constant time blinding removal
- 18102743 - Constant time conversion of the message to the SEXP
- 2880702e - ci: Run with --enable-marvin-workaround
- 3c8d2f2c - rsa: Implement constant-time conversion of MPI to string
- 8cc25388 - cipher: Use the constant time conversion also for OAEP
- 7ebd52da - Implement implicit rejection for PKCS#1.5 decipher
- 74245cd5 - ct: Use volatile to move data in buffer
- 23f13bcc - tests: Avoid memory leak on error path
Toggle commit listadded 30 commits
-
23f13bcc...0e365378 - 22 commits from branch
redhat-crypto/libgcrypt:master
- 7727c92e - tests: Remove needless PKCS#1.5 encryption and decryption parameters
- 64be4d02 - rsa: Do not accept invalid PKCS#1.5 padding when deciphering
- 328070de - rsa: Constant time blinding removal
- 7966d0bc - Constant time conversion of the message to the SEXP
- 0dc3c19b - ci: Run with --enable-marvin-workaround
- 7d915749 - rsa: Implement constant-time conversion of MPI to string
- cf92ebf1 - cipher: Use the constant time conversion also for OAEP
- f8d70dfb - Implement implicit rejection for PKCS#1.5 decipher
Toggle commit list-
23f13bcc...0e365378 - 22 commits from branch
Measurements performed on this branch using marvin toolkit with 600k inputs on x86_64 architecture showed that depadding does not show signs of side-channel leaks for the depadding operation:
tlsfuzzer analyse.py version 6 analysis Sign test mean p-value: 0.5609, median p-value: 0.576, min p-value: 0.01338 Friedman test (chisquare approximation) for all samples p-value: 0.9595613151985071 Worst pair: 12(very short PKCS#1 padding (40 bytes short)), 18(zero byte in eight byte of padding) Mean of differences: 2.36960e-09s, 95% CI: 5.83220e-10s, 4.355760e-09s (±1.886e-09s) Median of differences: 5.85200e-10s, 95% CI: 0.00000e+00s, 8.778100e-10s (±4.389e-10s) Trimmed mean (5%) of differences: 2.57517e-09s, 95% CI: 6.37548e-10s, 4.750109e-09s (±2.056e-09s) Trimmed mean (25%) of differences: 4.78174e-10s, 95% CI: -1.24717e-11s, 9.940182e-10s (±5.032e-10s) Trimmed mean (45%) of differences: 4.09395e-10s, 95% CI: -9.81684e-11s, 9.296631e-10s (±5.139e-10s) Trimean of differences: 5.85204e-10s, 95% CI: -7.31475e-11s, 1.097262e-09s (±5.852e-10s) Layperson explanation: Implementation most likely not providing a timing side-channel signal
The deblinding operation still shows possible small leaks
tlsfuzzer analyse.py version 6 analysis Sign test mean p-value: 0.4974, median p-value: 0.4856, min p-value: 0.004115 Friedman test (chisquare approximation) for all samples p-value: 0.4546575956175242 Worst pair: 19(zero byte in first byte of padding), 20(zero byte in second byte of padding) Mean of differences: 9.35603e-09s, 95% CI: 8.55824e-10s, 1.761912e-08s (±8.382e-09s) Median of differences: 8.77800e-10s, 95% CI: -5.85200e-10s, 2.048200e-09s (±1.317e-09s) Trimmed mean (5%) of differences: 1.00246e-08s, 95% CI: 1.82874e-09s, 1.742091e-08s (±7.796e-09s) Trimmed mean (25%) of differences: 1.32778e-09s, 95% CI: 2.79639e-10s, 2.382687e-09s (±1.052e-09s) Trimmed mean (45%) of differences: 9.33716e-10s, 95% CI: -2.67663e-10s, 2.075726e-09s (±1.172e-09s) Trimean of differences: 1.17040e-09s, 95% CI: 7.31750e-11s, 2.249369e-09s (±1.088e-09s) Layperson explanation: Large confidence intervals detected, collecting more data necessary. Side channel leakage smaller than 1.052e-09s is possible For detailed report see rsa2048_final/deblind/report.csv
added 6 commits
- 09a28b9a - rsa: Constant time blinding removal
- c1a0af39 - Constant time conversion of the message to the SEXP
- aee8f5b1 - ci: Run with --enable-marvin-workaround
- 7a4c0e20 - rsa: Implement constant-time conversion of MPI to string
- d2386899 - cipher: Use the constant time conversion also for OAEP
- 967a3c52 - Implement implicit rejection for PKCS#1.5 decipher
Toggle commit listmentioned in merge request redhat/centos-stream/rpms/libgcrypt!24 (merged)
added 23 commits
-
967a3c52...3d1519fd - 16 commits from branch
redhat-crypto/libgcrypt:master
- 984e245f - rsa: Do not accept invalid PKCS#1.5 padding when deciphering
- aca5bd25 - rsa: Constant time blinding removal
- 1b7b995c - Constant time conversion of the message to the SEXP
- 7afe89a5 - ci: Run with --enable-marvin-workaround
- 14008d6f - rsa: Implement constant-time conversion of MPI to string
- 5c0b1707 - cipher: Use the constant time conversion also for OAEP
- 4dffeaea - Implement implicit rejection for PKCS#1.5 decipher
Toggle commit list-
967a3c52...3d1519fd - 16 commits from branch