Open
Description
(since I have haven't found a security policy or an email to report security vulnerabilities I'm filing it directly here)
I've verified that the node-rsa 1.1.1 package running on node 21.1.0 is vulnerable to the Marvin Attack (a timing variant of the well-known Bleichenbacher attack).
I've executed the script on Ryzen 5 5600X on an isolated cpu core.
The summary of the test:
Sign test mean p-value: 0.3691, median p-value: 0.2482, min p-value: 0.0
Friedman test (chisquare approximation) for all samples
p-value: 0.0
Worst pair: 3(no_structure), 5(valid_0)
Mean of differences: -3.17599e-05s, 95% CI: -3.24520e-05s, -3.114535e-05s (±6.533e-07s)
Median of differences: -3.20305e-05s, 95% CI: -3.22410e-05s, -3.179000e-05s (±2.255e-07s)
Trimmed mean (5%) of differences: -3.17426e-05s, 95% CI: -3.19244e-05s, -3.155255e-05s (±1.859e-07s)
Trimmed mean (25%) of differences: -3.18371e-05s, 95% CI: -3.20280e-05s, -3.163763e-05s (±1.952e-07s)
Trimmed mean (45%) of differences: -3.19491e-05s, 95% CI: -3.21577e-05s, -3.173588e-05s (±2.109e-07s)
Trimean of differences: -3.18982e-05s, 95% CI: -3.20940e-05s, -3.168987e-05s (±2.021e-07s)
Layperson explanation: Definite side-channel detected, implementation is VULNERABLE
the description of the probes:
ID,Name
0,header_only
1,no_header_with_payload_48
2,no_padding_48
3,no_structure
4,signature_padding_8
5,valid_0
6,valid_48
7,valid_192
8,valid_246
9,valid_repeated_byte_payload_246_1
10,valid_repeated_byte_payload_246_255
11,zero_byte_in_padding_48_4
explanation of the probes is in the step2.py script.
Given the large size of the timing signal, the attack will be easy to perform remotely.
Metadata
Metadata
Assignees
Labels
No labels