README.md: add info about Marvin Attack (RUSTSEC-2023-0071) (#391)

References: - https://github.com/RustCrypto/RSA/issues/19 - https://rustsec.org/advisories/RUSTSEC-2023-0071.html - https://people.redhat.com/~hkario/marvin/
2023-11-28 12:34:13 -07:00 · 2023-11-28 12:34:13 -07:00 · 5d45065bd8
commit 5d45065bd8
parent ac108c9e9d
1 changed files with 9 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -65,16 +65,19 @@ There will be three phases before `1.0` 🚢 can be released.
    - [ ] Fuzz testing
    - [ ] Security Audits

-## Security Notes
+## ⚠️Security Warning

 This crate has received one [security audit by Include Security][audit], with
 only one minor finding which has since been addressed.

 See the [open security issues] on our issue tracker for other known problems.

-Notably the implementation of [modular exponentiation is not constant time],
+~~Notably the implementation of [modular exponentiation is not constant time],
 but timing variability is masked using [random blinding], a commonly used
-technique.
+technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable
+private key recovery by a network attacker (see [RUSTSEC-2023-0071]).
+
+You can follow our work on mitigating this issue in [#390].

 ## Minimum Supported Rust Version (MSRV)

@ -118,3 +121,6 @@ dual licensed as above, without any additional terms or conditions.
 [open security issues]: https://github.com/RustCrypto/RSA/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity
 [modular exponentiation is not constant time]: https://github.com/RustCrypto/RSA/issues/19
 [random blinding]: https://en.wikipedia.org/wiki/Blinding_(cryptography)
+[Marvin Attack]: https://people.redhat.com/~hkario/marvin/
+[RUSTSEC-2023-0071]: https://rustsec.org/advisories/RUSTSEC-2023-0071.html
+[#390]: https://github.com/RustCrypto/RSA/issues/390