Security Advisories (2)

CVE-2020-17478 (2020-08-10)

ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.

https://github.com/FGasper/p5-Crypt-Perl/compare/0.32...0.33

CVE-2020-13895 (2020-06-07)

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.

NAME

Crypt::Perl::RSA - RSA in pure Perl (really!)

SYNOPSIS

my $prkey1 = Crypt::Perl::RSA::Parse::private($pem_or_der);
my $pbkey1 = Crypt::Perl::RSA::Parse::public($pem_or_der);

#----------------------------------------------------------------------

my $prkey = Crypt::Perl::RSA::Generate::generate(2048);

my $der = $prkey->to_der();
my $der2 = $prkey->to_pem();

#----------------------------------------------------------------------

my $msg = 'My message';

my $sig = $prkey->sign_RS256($msg);

die 'Wut' if !$prkey->verify_RS256($msg, $sig);

die 'Wut' if !$pbkey->verify_RS256($msg, $sig);

DISCUSSION

See the documentation for Crypt::Perl::RSA::PublicKey and Crypt::Perl::RSA::PrivateKey for more on what these interfaces can do.

NOTE: The RSA logic here is ported from Kenji Urushima’s jsrsasign.

SECURITY

RSA is safe as long as factorization is “hard”. As computers get faster, RSA keys have needed to get bigger and bigger to maintain the “difficulty” of factoring the key’s modulus. RSA will eventually no longer be viable toward this end: as RSA keys get bigger, the security advantage of increasing their size diminishes.

SPEED

Key generation is probably generally useful only with an XS-based backend to Math::BigInt. Once Math::Prime::Util is installable without a compiler I’ll replace Math::ProvablePrime here with Math::Prime::Util, which should speed things up significantly.

TODO

This minimal set of functionality can be augmented as feature requests come in. Ideas:

Support signature schemes besides PKCS #1 v1.5.
Use faster prime-number-finder logic if it’s available.

To install Crypt::Perl, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Crypt::Perl

CPAN shell

perl -MCPAN -e shell
install Crypt::Perl

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)