May 29, 2024
Participants: @maennchen, @max-au, Paul Swartz, @ingela, @rickard, @voltone
Marvin attack and OTP 27 deprecations
- Background: The Marvin Attack
- OTP 27 deprecates asymmetrical encryption/decryption functions in
cryptoandpublic_key- RSA key exchange, which uses these functions, was already disabled by default due to the ROBOT attack; it is now actively discouraged
- Fixing or deprecating these functions was pushed for by the researchers behind the Marvin attack
- Practically not possible for OTP team to guarantee these functions are safe, as it depends on libcrypto dependency
- No plans to remove these functions, likely to stick around for quite a while
- At least until RSA key exchange, as a compatibility option, is completely removed
- If/when there is a plan for removal, it will be announced well in advance
- Could other use-cases, in 3rd party apps/libraries, be safe?
- Depends on the threat model: can an attacker attempt many decryptions and measure the runtime?
- What alternative do authors have? Adding custom libcrypto bindings adds complexity and could introduce new vulnerabilities
- Plan: improve documentation, warn about risks, explain what plans OTP team have with these functions
Next meeting
Wed 26 June 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST