Skip to content

Commit 47777de

Browse files
authored
Add Bleichenbacher attack warning about PKCS#1 v1.5 (#637)
Notes the long history of repeat attacks, and how the `rsa` crate is still vulnerable to the Marvin Attack.
1 parent 340b194 commit 47777de

2 files changed

Lines changed: 31 additions & 0 deletions

File tree

src/lib.rs

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,12 @@
4545
//! ```
4646
//!
4747
//! ## PKCS#1 v1.5 encryption
48+
//!
49+
//! <div class="warning">
50+
//! <b>Warning:</b>
51+
//! See security notes in the <code><a href="./pkcs1v15/index.html">pkcs1v15</a></code> module.
52+
//! </div>
53+
//!
4854
//! ```
4955
//! use rsa::{RsaPrivateKey, RsaPublicKey, Pkcs1v15Encrypt};
5056
//!
@@ -66,6 +72,11 @@
6672
//!
6773
//! ## PKCS#1 v1.5 signatures
6874
//!
75+
//! <div class="warning">
76+
//! <b>Warning:</b>
77+
//! See security notes in the <code><a href="./pkcs1v15/index.html">pkcs1v15</a></code> module.
78+
//! </div>
79+
//!
6980
//! Note: requires `sha2` feature of `rsa` crate is enabled.
7081
//!
7182
#![cfg_attr(feature = "sha2", doc = "```")]

src/pkcs1v15.rs

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,25 @@
11
//! PKCS#1 v1.5 support as described in [RFC8017 § 8.2].
22
//!
3+
//! <div class="warning">
4+
//! <b>Warning</b>
5+
//!
6+
//! PKCS#1 v1.5 padding has a longstanding history of issues generally classed as
7+
//! [Bleichenbacher Attacks] which were originally discovered in 1998 but keep reappearing in
8+
//! various forms again and again over the course of decades, including most recently in the 2023
9+
//! [Marvin Attack], which the `rsa` crate is [still vulnerable] to.
10+
//!
11+
//! These attacks can result in complete plaintext recovery for encryption, or signature forgery,
12+
//! leading to a total failure of either confidentiality or integrity.
13+
//!
14+
//! Unless explicitly needed for compatibility reasons, we recommend against using PKCS#1 v1.5,
15+
//! and suggest using [PSS][`super::pss`] or [OAEP][`super::oaep`] instead (if there is a
16+
//! requirement to use RSA).
17+
//! </div>
18+
//!
19+
//! [Bleichenbacher Attacks]: https://en.wikipedia.org/wiki/Adaptive_chosen-ciphertext_attack#Practical_attacks
20+
//! [Marvin Attack]: https://people.redhat.com/~hkario/marvin/
21+
//! [still vulnerable]: https://github.com/RustCrypto/RSA/issues/626
22+
//!
323
//! # Usage
424
//!
525
//! See [code example in the toplevel rustdoc](../index.html#pkcs1-v15-signatures).

0 commit comments

Comments
 (0)