pgp 0.20.0

OpenPGP implementation in Rust
Documentation
# Security Status

## Known Issues

The used [`rsa`](https://crates.io/crates/rsa) crate is vulnerable to the Marvin attack and potentially other side channel attacks. This is being tracked and worked on actively:

- https://github.com/RustCrypto/RSA/issues/19
- https://github.com/RustCrypto/RSA/pull/394

## Security Audits

rPGP and its RSA dependency received two independent security audits and a security analysis.

### 2024-12

Audit ["Nlnet Security Evaluation rPGP"](https://github.com/rpgp/docs/blob/main/audits/NGI%20Core%20rPGP%20penetration%20test%20report%202024%201.0.pdf) by [Radically Open Security](https://www.radicallyopensecurity.com/).

Two advisories were released about the findings of this audit:

- ["Panics on Malformed Untrusted Input"]https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv CVE-2024-53856
- ["Potential Resource Exhaustion when handling Untrusted Messages"]https://github.com/rpgp/rpgp/security/advisories/GHSA-4grw-m28r-q285 CVE-2024-53857

The issues outlined in these advisories have been fixed.

### 2024-03

[Hardening Guaranteed End-to-End encryption based on a security analysis from ETH researchers](https://delta.chat/en/2024-03-25-crypto-analysis-securejoin)

All discovered issues have been fixed.

### 2019

[Security Assessment of DeltaChat's RPGP and
RustCrypto RSA Libraries for the Open Tech
Fund](https://delta.chat/assets/blog/2019-first-security-review.pdf).

No critical flaws were found and we have fixed most high, medium and low risk ones.

## Occurrence of weak algorithms in rPGP

### SHA-1

SHA-1 is not considered cryptographically secure, practical attacks exist.

However, OpenPGP can use the SHA-1 hash algorithm in a number of different contexts:

1. Fingerprints for v4 keys
2. As a hash algorithm in signatures
3. In SEIPDv1 encrypted messages for modification detection

These mechanisms all have modern replacements in RFC 9580.

Specifically, 2. (using SHA-1 in signatures) has been deprecated in OpenPGP for a long time, SHA-2 has already been
specified in RFC 4880, in the year 2007. Applications that use rPGP should consider using policies that don't accept
signatures that hinge on SHA-1 hashes, as appropriate.

rPGP uses [sha1-checked](https://crates.io/crates/sha1-checked) for 1. and 2. since version 0.13.0
(see https://github.com/rpgp/rpgp/pull/353).

This mitigates the currently known practical attacks, but is of course only a stopgap measure.

For case 3., collisions are not a concern, so rPGP uses the cheaper unchecked basic sha1 implementation.
(Still, RFC 9580 specifies SEIPDv2, which uses a modern AEAD construction, and aims to eventually replace SEIPDv1.)

### MD5

Analogous to SHA-1, in historical OpenPGP artifacts, MD5 hashes can occur. Specifically:

- Fingerprints for v3/v2 keys
- As hash algorithm in signatures

rPGP supports interacting with such artifacts, but they should be considered cryptographically insecure by
applications.