File: limitations.rst

package info (click to toggle)
python-cryptography 46.0.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 5,684 kB
  • sloc: python: 52,706; java: 319; makefile: 160
file content (44 lines) | stat: -rw-r--r-- 2,243 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
Known security limitations
==========================

Secure memory wiping
--------------------

`Memory wiping`_ is used to protect secret data or key material from attackers
with access to deallocated memory. This is a defense-in-depth measure against
vulnerabilities that leak application memory.

Many ``cryptography`` APIs which accept ``bytes`` also accept types which
implement the buffer interface. Thus, users wishing to do so can pass
``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite
the contents once the data is no longer needed.

However, ``cryptography`` does not clear memory by default, as there is no way
to clear immutable structures such as ``bytes``. As a result, ``cryptography``,
like almost all software in Python is potentially vulnerable to this attack. The
`CERT secure coding guidelines`_ assesses this issue as "Severity: medium,
Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
consider this a high risk for most users.

RSA PKCS1 v1.5 constant time decryption
---------------------------------------

RSA decryption has several different modes, one of which is PKCS1 v1.5. When
used in **online contexts**, a secure protocol implementation requires that
peers not be able to tell whether RSA PKCS1 v1.5 decryption failed or
succeeded, even by timing variability.

``cryptography`` does not provide an API that makes this possible, due to the
fact that RSA decryption raises an exception on failure, which takes a
different amount of time than returning a value in the success case.

In OpenSSL 3.2.0 and newer, this is automatically mitigated by OpenSSL (by
returning a random value and never raising an exception). If you are using
cryptography with an older version of OpenSSL, such attacks are still possible.

Regardless of OpenSSL version, we recommend not implementing or using online
protocols that use RSA PKCS1 v1.5 decryption, as such protocols generally have
poor security properties due to their lack of forward security.

.. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223
.. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources