Exponent 3 damage spreads...
Ben Laurie
ben at algroup.co.uk
Sun Sep 10 02:04:52 EDT 2006
James A. Donald wrote:
> --
> Ben Laurie wrote:
>> Subject:
>> [dnsop] BIND and OpenSSL's RSA signature forging issue
>> From:
>> Ben Laurie <ben at algroup.co.uk>
>> Date:
>> Fri, 08 Sep 2006 11:40:44 +0100
>> To:
>> DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
>> <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
>>
>> To:
>> DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
>> <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
>>
>>
>> I've just noticed that BIND is vulnerable to:
>>
>> http://www.openssl.org/news/secadv_20060905.txt
>>
>> Executive summary:
>>
>> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
>> default. Note that the issue is in the resolver, not the server.
>>
>> Fix:
>>
>> Upgrade OpenSSL.
>>
>> Issue:
>>
>> Since I've been told often that most of the world won't upgrade
>> resolvers, presumably most of the world will be vulnerable to this
>> problem for a long time.
>>
>> Solution:
>>
>> Don't use exponent 3 anymore. This can, of course, be done server-side,
>> where the responsible citizens live, allegedly.
>>
>> Side benefit:
>>
>> You all get to test emergency key roll! Start your motors, gentlemen!
>
> This seems to presuppose that Secure DNS is actually in use. I was
> unaware that this is the case.
Does it? All it presupposes, I thought, was that secure DNS was being
tested. Which it is.
> What is the penetration of Secure DNS?
Anyone who is running any vaguely recent version of BIND is DNSSEC
enabled, whether they are using it now or not. Unless they upgrade, they
will be vulnerable when they start to use it. So, the question of
whether to use exponent 3 is unrelated to the penetration of DNSSEC use
now, it is related to the penetration of broken implementations of
DNSSEC now.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list