NOTE: This bug represents a potential security vulnerability, albeit a minor
one.
When using the 'req' command to construct a new x509 certificate using an
elliptic curve signature algorithm, the digest specifier is SILENTLY ignored.
Thus we get the following output
OpenSSL> version
OpenSSL 0.9.8l 5 Nov 2009
OpenSSL> ecparam -name secp384r1 -out nist384param.pem
OpenSSL> req -x509 -nodes -newkey ec:nist384param.pem -sha384 -keyout
ectest.key -out ectest.pem
Generating a 384 bit EC private key
writing new private key to 'ectest.key'
...
OpenSSL> x509 -in ectest.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9e:a6:61:68:a4:b1:b9:01
Signature Algorithm: ecdsa-with-SHA1
...
Unlike the original DSA, the ECDSA does not mandate the use of SHA-1 but rather
expects the use of a hash function of the same length as the key size. The
current functionality means that it is impossible for OpenSSL 0.9.8 to produce
an EC signature that conforms to the NSA Suite B standard or meet NIST
requirements. This functionality also represents a security flaw, since it
will typically result in the use of a weaker hash function that requested
(although it is noted that a viable attack requires a second pre-image attack
on SHA-1).
This flaw appears to be present in 0.9.8k through the current (0.9.8r) release.
This flaw appears NOT to be present in 1.0.0a or later.
The most desirable fix is for the flaw is for the digest specifier to be
honoured. An alternative, less desirable, fix would be for the req command to
fail with a clear error message if a digest is specified and the signature
algorithm would otherwise ignore this.
Nicko van Someren
Chief Security Architect
Juniper Networks
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
