Ben Laurie wrote:
I've just noticed that BIND is vulnerable to:
http://www.openssl.org/news/secadv_20060905.txt
Executive summary:
RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
default. Note that the issue is in the resolver, not the server.
See a more comprehensive report at
Hal Finney, "Bleichenbacher's RSA signature forgery based on
implementation error" Wed, 30 Aug 2006
http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html
"based on implementation error" is somehow relevant to understand
exactly where the vulnerability lies. I mean "somehow relevant" because
the specific implementation error (a missing data validation check,
where the check is useful *only* for preventing the Bleichenbacher's RSA
signature forgery while the forgery was previously unknown) is very
likely to be done by even dedicated implementation developers, and
remain undetected in the SW testing phase because of its innocuous-ness.
Fix:
Upgrade OpenSSL.
Or use the proper command-line argument in the BIND-specific
dnssec-keygen utility?
Or fix the BIND-specific dnssec-keygen utility to use the other allowed
value (i.e 65537) as the default?
Issue:
Since I've been told often that most of the world won't upgrade
resolvers, presumably most of the world will be vulnerable to this
problem for a long time.
Solution:
Don't use exponent 3 anymore. This can, of course, be done server-side,
where the responsible citizens live, allegedly.
Side benefit:
You all get to test emergency key roll! Start your motors, gentlemen!
Responsible citizens consult their family cryptographer before selecting
an RSA public key exponent, and they stay away from public exponent=3
for number-theoretic reasons known only to the family cryptographers (of
which the Bleichenbacher's RSA signature forgery is an acutely practical
consequence)!
Cheers,
Cheers,
Ben.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html