-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrating from num-bigint(-dig)
to crypto-bigint
#390
Comments
num-bigint
to crypto-bigint
num-bigint(-dig)
to crypto-bigint
work on this is happening on #394 |
Hi, I'm looking for stack-allocated RSA library in Rust. |
See #394 (comment) and #394 (comment) |
#51 is the tracking issue for "heapless" support |
We keep getting asked about https://rustsec.org/advisories/RUSTSEC-2023-0071.html and how it impacts kumomta. The answer to that question is: in the default build configuration, we use openssl's RSA signing implementation rather than that of the rsa crate. The reason for this is that OpenSSL's RSA implementation is due to the performance gap between the two implementations (RustCrypto/RSA#339). The result of this is that the problematic code and attack vector described in the security advisory does not apply to KumoMTA, because it is not used to compute any signatures. In the interest of not raising any false alarms as more and more people perform security analyses on kumomta, this commit removes the `rsa` crate from the build graph. In order to do so, we need to port verification over to the openssl RSA implementation which is what this commit does. I look forward to a future version of the `rsa` crate being published that has this issue resolved, and that closes the performance gap! refs: RustCrypto/RSA#390
There are a couple issues related to this (#19, #51), but no specific discussion issue for it, so I thought I'd open one.
crypto-bigint
v0.6.0-pre.0 now includes more fully featured heap-allocated types which are fixed-precision, can be easily padded to the modulus size, and are (almost) completely implemented in terms of constant-time algorithms:BoxedUint
BoxedResidue
BoxedResidueParams
Notably it should be possible to represent the RSA modulus using
BoxedResidueParams
which precomputes the constants needed to translate in and out of the Montgomery domain.The
BoxedResidue
type supports modularpow
andinvert
, andBoxedUint
supportsinv_mod
(though the implementation onBoxedResidue
should be more efficient, since it can rely on an odd modulus). All of these are implemented using constant-time algorithms, although lingering bits of timing variability may remain in certain places (notably theBoxedResidueParams
constructor presently uses a non-constant-time remainder function, though since the RSA modulus is a public parameter this shouldn't be an issue).That should be the core functionality required. There are probably still gaps as this functionality was somewhat hastily implemented, though it should all be fairly well tested.
To start I think we can focus on
rsa::hazmat::rsa_decrypt
, perhaps convertingnum_bigint::BigUint
tocrypto_bigint::BoxedResidue
internally. If we can get that to work, we may be able to ship a mitigation without breaking changes to the public API.A full conversion will require much more work. We'll need to add
Boxed*
support tocrypto-primes
, for example: https://github.com/entropyxyz/crypto-primescc @dignifiedquire
The text was updated successfully, but these errors were encountered: