Thierry Moreau wrote: > > > Ben Laurie wrote: > >> I've just noticed that BIND is vulnerable to: >> >> http://www.openssl.org/news/secadv_20060905.txt >> >> Executive summary: >> >> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's >> default. Note that the issue is in the resolver, not the server. >> > > See a more comprehensive report at > > Hal Finney, "Bleichenbacher's RSA signature forgery based on > implementation error" Wed, 30 Aug 2006 > http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html > > "based on implementation error" is somehow relevant to understand > exactly where the vulnerability lies. I mean "somehow relevant" because > the specific implementation error (a missing data validation check, > where the check is useful *only* for preventing the Bleichenbacher's RSA > signature forgery while the forgery was previously unknown) is very > likely to be done by even dedicated implementation developers, and > remain undetected in the SW testing phase because of its innocuous-ness. > >> Fix: >> >> Upgrade OpenSSL. >> > > Or use the proper command-line argument in the BIND-specific > dnssec-keygen utility? > > Or fix the BIND-specific dnssec-keygen utility to use the other allowed > value (i.e 65537) as the default?
Neither of these measures will fix existing keys, of course. > >> Issue: >> >> Since I've been told often that most of the world won't upgrade >> resolvers, presumably most of the world will be vulnerable to this >> problem for a long time. >> >> Solution: >> >> Don't use exponent 3 anymore. This can, of course, be done server-side, >> where the responsible citizens live, allegedly. >> >> Side benefit: >> >> You all get to test emergency key roll! Start your motors, gentlemen! >> > > Responsible citizens consult their family cryptographer before selecting > an RSA public key exponent, and they stay away from public exponent=3 > for number-theoretic reasons known only to the family cryptographers (of > which the Bleichenbacher's RSA signature forgery is an acutely practical > consequence)! > >> Cheers, > > Cheers, > >> >> Ben. >> > > - Thierry Moreau > > CONNOTECH Experts-conseils inc. > 9130 Place de Montgolfier > Montreal, Qc > Canada H2M 2A1 > > Tel.: (514)385-5691 > Fax: (514)385-5900 > > web site: http://www.connotech.com > e-mail: [EMAIL PROTECTED] > > . > dnsop resources:_____________________________________________________ > web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html > mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html > > -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html