Security Advisories (2)

CVE-2020-17478 (2020-08-10)

ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.

https://github.com/FGasper/p5-Crypt-Perl/compare/0.32...0.33

CVE-2020-13895 (2020-06-07)

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.

NAME

Crypt::Perl::RSA - RSA in pure Perl (really!)

SYNOPSIS

my $prkey1 = Crypt::Perl::RSA::Parse::private($pem_or_der);
my $pbkey1 = Crypt::Perl::RSA::Parse::public($pem_or_der);

#----------------------------------------------------------------------

my $prkey = Crypt::Perl::RSA::Generate::generate(2048);

my $der = $prkey->to_der();
my $der2 = $prkey->to_pem();

#----------------------------------------------------------------------

my $msg = 'My message';

my $sig = $prkey->sign_RS256($msg);

die 'Wut' if !$prkey->verify_RS256($msg, $sig);

die 'Wut' if !$pbkey->verify_RS256($msg, $sig);

DISCUSSION

See the documentation for Crypt::Perl::RSA::PublicKey and Crypt::Perl::RSA::PrivateKey for more on what these interfaces can do.

NOTE: The RSA logic here is ported from Kenji Urushima’s jsrsasign.

SECURITY

RSA is safe as long as factorization is “hard”. As computers get faster, RSA keys have needed to get bigger and bigger to maintain the “difficulty” of factoring the key’s modulus. RSA will eventually no longer be viable toward this end: as RSA keys get bigger, the security advantage of increasing their size diminishes.

SPEED

Key generation is pretty slow—potentially unacceptably so for general use. It can be made faster by having an XS-based backend available for Math::BigInt and Bytes::Random::Secure::Tiny, but it’ll still be pretty pokey. The difficulty rests in prime number generation, which is handled by Math::ProvablePrime.

TODO

This minimal set of functionality can be augmented as feature requests come in. Ideas:

Support signature schemes besides PKCS #1 v1.5.
Use faster prime-number-finder logic if it’s available.

To install Crypt::Perl, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Crypt::Perl

CPAN shell

perl -MCPAN -e shell
install Crypt::Perl

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)