Summary
Nimbus-Jose allows a chosen message attack that can decrypt RSA encrypted ciphertexts by measuring the decryption time. The attack uses the timing difference caused by an internal exception and allows to distinguish ciphertexts with valid PKCS #1 v1.5 paddings from ciphertexts with invalid paddings.
Severity
Moderate - This could allow the attacker to choose the messages that are encrypted and decrypted by a cryptographic system. This allows the attacker to learn more about the system and how it works, which can then be used to launch more sophisticated attacks.
Proof of Concept
C2SP/wycheproof@b063b4a
Timeline
Date reported: 3/03/2023
Date fixed:
Date disclosed: 06/05/2023
Summary
Nimbus-Jose allows a chosen message attack that can decrypt RSA encrypted ciphertexts by measuring the decryption time. The attack uses the timing difference caused by an internal exception and allows to distinguish ciphertexts with valid PKCS #1 v1.5 paddings from ciphertexts with invalid paddings.
Severity
Moderate - This could allow the attacker to choose the messages that are encrypted and decrypted by a cryptographic system. This allows the attacker to learn more about the system and how it works, which can then be used to launch more sophisticated attacks.
Proof of Concept
C2SP/wycheproof@b063b4a
Timeline
Date reported: 3/03/2023
Date fixed:
Date disclosed: 06/05/2023