From 2310b34bdb530e0bad793d42f589c9f848ff181b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 22 Jan 2016 13:11:22 +0100
Subject: Fix #19: Implemented blinding when decrypting.

This prevents side-channel (such as timing) attacks, see:
https://en.wikipedia.org/wiki/Blinding_%28cryptography%29
---
 rsa/pkcs1.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'rsa/pkcs1.py')

diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
index 7d6814c..0b7982c 100644
--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
@@ -229,8 +229,14 @@ def decrypt(crypto, priv_key):
 
     blocksize = common.byte_size(priv_key.n)
     encrypted = transform.bytes2int(crypto)
-    decrypted = core.decrypt_int(encrypted, priv_key.d, priv_key.n)
-    cleartext = transform.int2bytes(decrypted, blocksize)
+
+    # Perform blinded decryption to prevent side-channel attacks.
+    # See https://en.wikipedia.org/wiki/Blinding_%28cryptography%29
+    blinded = priv_key.blind(encrypted, 4134431)  # blind before decrypting
+    decrypted = core.decrypt_int(blinded, priv_key.d, priv_key.n)
+    unblinded = priv_key.unblind(decrypted, 4134431)
+
+    cleartext = transform.int2bytes(unblinded, blocksize)
 
     # If we can't find the cleartext marker, decryption failed.
     if cleartext[0:2] != b('\x00\x02'):
-- 
cgit v1.2.1