Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

citing Marvin attack? #214

Open
armfazh opened this issue Oct 10, 2023 · 4 comments
Open

citing Marvin attack? #214

armfazh opened this issue Oct 10, 2023 · 4 comments

Comments

@armfazh
Copy link
Contributor

armfazh commented Oct 10, 2023

It's probably worth citing Marvin attack in Section Alternative RSA Encoding Functions

According to [RFC8017], "Although no attacks are known against RSASSA-PKCS#1 v1.5, in the interest of increased robustness, RSA-PSS [RFC8017] is recommended for eventual adoption in new applications."
@FredericJacobs
Copy link
Collaborator

Hi @armfazh,
Thanks for opening this issue. I wonder what our options are now that we have an RFC.
I think we would need to go through the whole process to get an errata issued.

@chris-wood : What do you think? Our last revision precedes the public disclosure of this vulnerability but I don't know what our options are to address this.

@chris-wood
Copy link
Collaborator

The only option is errata at this point. That said, doesn't the attack only apply to PKCS#1 v1.5? What would be the reason for citing it in this document?

@jedisct1
Copy link
Collaborator

Because we are quoting RFC8017: "Although no attacks are known against RSASSA-PKCS#1 v1.5" [RSA-PSS is recommended]

@chris-wood
Copy link
Collaborator

Oh, hah, I see 🤦 an errata is the best way forward then!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jedisct1 @FredericJacobs @chris-wood @armfazh