• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 Known security limitations
2 ==========================
3 
4 Secure memory wiping
5 --------------------
6 
7 `Memory wiping`_ is used to protect secret data or key material from attackers
8 with access to deallocated memory. This is a defense-in-depth measure against
9 vulnerabilities that leak application memory.
10 
11 Many ``cryptography`` APIs which accept ``bytes`` also accept types which
12 implement the buffer interface. Thus, users wishing to do so can pass
13 ``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite
14 the contents once the data is no longer needed.
15 
16 However, ``cryptography`` does not clear memory by default, as there is no way
17 to clear immutable structures such as ``bytes``. As a result, ``cryptography``,
18 like almost all software in Python is potentially vulnerable to this attack. The
19 `CERT secure coding guidelines`_ assesses this issue as "Severity: medium,
20 Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
21 consider this a high risk for most users.
22 
23 RSA PKCS1 v1.5 constant time decryption
24 ---------------------------------------
25 
26 RSA decryption has several different modes, one of which is PKCS1 v1.5. When
27 used in online contexts, a secure protocol implementation requires that peers
28 not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded,
29 even by timing variability.
30 
31 ``cryptography`` does not provide an API that makes this possible, due to the
32 fact that RSA decryption raises an exception on failure, which takes a
33 different amount of time than returning a value in the success case.
34 
35 For this reason, at present, we recommend not implementing online protocols
36 that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this
37 limitation, such protocols generally have poor security properties due to their
38 lack of forward security.
39 
40 If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should
41 contribute one to ``cryptography``.
42 
43 .. _`Memory wiping`:  https://devblogs.microsoft.com/oldnewthing/?p=4223
44 .. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
45