docs/limitations.rst - platform/external/python/cryptography - Git at Google

 Known security limitations
 ==========================

 Secure memory wiping
 --------------------

 `Memory wiping`_ is used to protect secret data or key material from attackers
 with access to deallocated memory. This is a defense-in-depth measure against
 vulnerabilities that leak application memory.

 Many ``cryptography`` APIs which accept ``bytes`` also accept types which
 implement the buffer interface. Thus, users wishing to do so can pass
 ``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite
 the contents once the data is no longer needed.

 However, ``cryptography`` does not clear memory by default, as there is no way
 to clear immutable structures such as ``bytes``. As a result, ``cryptography``,
 like almost all software in Python is potentially vulnerable to this attack. The
 `CERT secure coding guidelines`_ assesses this issue as "Severity: medium,
 Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
 consider this a high risk for most users.

 RSA PKCS1 v1.5 constant time decryption
 ---------------------------------------

 RSA decryption has several different modes, one of which is PKCS1 v1.5. When
 used in online contexts, a secure protocol implementation requires that peers
 not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded,
 even by timing variability.

 ``cryptography`` does not provide an API that makes this possible, due to the
 fact that RSA decryption raises an exception on failure, which takes a
 different amount of time than returning a value in the success case.

 For this reason, at present, we recommend not implementing online protocols
 that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this
 limitation, such protocols generally have poor security properties due to their
 lack of forward security.

 If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should
 contribute one to ``cryptography``.

 .. _`Memory wiping`:  https://devblogs.microsoft.com/oldnewthing/?p=4223
 .. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
	Known security limitations
	==========================

	Secure memory wiping
	--------------------

	`Memory wiping`_ is used to protect secret data or key material from attackers
	with access to deallocated memory. This is a defense-in-depth measure against
	vulnerabilities that leak application memory.

	Many ``cryptography`` APIs which accept ``bytes`` also accept types which
	implement the buffer interface. Thus, users wishing to do so can pass
	``memoryview`` or another mutable type to ``cryptography`` APIs, and overwrite
	the contents once the data is no longer needed.

	However, ``cryptography`` does not clear memory by default, as there is no way
	to clear immutable structures such as ``bytes``. As a result, ``cryptography``,
	like almost all software in Python is potentially vulnerable to this attack. The
	`CERT secure coding guidelines`_ assesses this issue as "Severity: medium,
	Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
	consider this a high risk for most users.

	RSA PKCS1 v1.5 constant time decryption
	---------------------------------------

	RSA decryption has several different modes, one of which is PKCS1 v1.5. When
	used in online contexts, a secure protocol implementation requires that peers
	not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded,
	even by timing variability.

	``cryptography`` does not provide an API that makes this possible, due to the
	fact that RSA decryption raises an exception on failure, which takes a
	different amount of time than returning a value in the success case.

	For this reason, at present, we recommend not implementing online protocols
	that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this
	limitation, such protocols generally have poor security properties due to their
	lack of forward security.

	If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should
	contribute one to ``cryptography``.

	.. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223
	.. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources