ask the question about mitigating or fixing Bleichenbacher attacks on RSA decryption

[xiaoge1001]

Sorry, for some reason, I can't upgrade the cryptography and openssl versions, so I can't fix CVE-2023-50782 and CVE-2020-25659 by upgrading the package. The version information of the package I'm using is as follows:

cryptography：36.0.1
openssl: 1.1.1m (have a backport of the CVE-2022-4304 fix)

I have a few questions that I would like to ask:
（1）Does the CVEs get fixed or alleviated if I specify 65537 using public exponent? If yes, what would be the impact? (3 is not supported)
（2）Is there any impact of stopping PKCS#1v1.5 and using OEAP instead? Like having to switch the tls protocol to a certain version?

Looking forward to your reply, thanks.

[alex]

Public exponent doesn't impact anything.

If you don't use PKCS1v15 encryption, then you cannot be impacted by this issue. Whether you can stop using it depends on your code.

[xiaoge1001]

@alex Thanks for your reply.

(1) If I use public exponent 65537，do I still affected by the CVEs?
(2) If I stop using PKCS1v15 encryption, what do I need to check? Under what circumstances can it be stopped? If I use the tls1.2 protocol, can't I stop it?

I'm very sorry, I don't know much about this.

[alex]

1. As I already said, the public exponent has no impact.
2. cryptography doesn't provide a TLS implementation, so I don't know what you're asking here.

The correct way to mitigate this is to use cryptography the OpenSSL 3.2.0+, either via our wheels or via your own version of OpenSSL.

[xiaoge1001]

1. As I already said, the public exponent has no impact.
2. cryptography doesn't provide a TLS implementation, so I don't know what you're asking here.

The correct way to mitigate this is to use cryptography the OpenSSL 3.2.0+, either via our wheels or via your own version of OpenSSL.

ok, thanks

[xiaoge1001]

#9785 (comment)

In 3.2.0 (or with implicit rejection) OpenSSL doesn't return errors, it returns a deterministically random message in case padding check fails. Since there is no error[1], pyca/crypptography doesn't raise an exception.
-> How is pyca/crypptography handled in the latest version? Where is the relevant code?

[alex]

The relevant code is in rsa.rs. As that comment states, on unpadding failure, a random message will be returned.

[xiaoge1001]

The relevant code is in rsa.rs. As that comment states, on unpadding failure, a random message will be returned.

ok, thank you very much for your reply.

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

[github-actions]

This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it.

[xiaoge1001]

How to determine whether the ciphertext sent by the attacker complies with the PKCS format based on the time information?

#9785 (comment)

The problem is that pyca/cryptography changes that error into an exception, which causes different code path to be taken, and thus make execution take different amount of time. It's pyca/caryptography that introduces the side-channel leakage.

(1) openssl will return errors inpadding check fails. cryptography changes that error into an exception.
(2) since the fix to CVE-2022-4304 OpenSSL's API will decrypt RSA ciphertexts in constant-time.
For cryptography, the time difference is the time difference between success and failure. How can an attacker determine whether a ciphertext is in the PKCS format based on the time?

[alex]

See https://crypto.stackexchange.com/questions/12688/can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5 for an explanation of Bleichenhacher's attack on PKCS1v15

[xiaoge1001]

If I want to disable RSA PKCS#1v1.5 for encryption and decryption, do I just change the _enc_dec_rsa_pkey_ctx() function?

if isinstance(padding, PKCS1v15):
    raise ValueError("error msg")