Exponent 3 damage spreads...
James A. Donald
jamesd at echeque.com
Sat Sep 9 18:30:53 EDT 2006
--
Ben Laurie wrote:
> Subject:
> [dnsop] BIND and OpenSSL's RSA signature forging issue
> From:
> Ben Laurie <ben at algroup.co.uk>
> Date:
> Fri, 08 Sep 2006 11:40:44 +0100
> To:
> DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
>
> To:
> DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
>
>
> I've just noticed that BIND is vulnerable to:
>
> http://www.openssl.org/news/secadv_20060905.txt
>
> Executive summary:
>
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
>
> Fix:
>
> Upgrade OpenSSL.
>
> Issue:
>
> Since I've been told often that most of the world won't upgrade
> resolvers, presumably most of the world will be vulnerable to this
> problem for a long time.
>
> Solution:
>
> Don't use exponent 3 anymore. This can, of course, be done server-side,
> where the responsible citizens live, allegedly.
>
> Side benefit:
>
> You all get to test emergency key roll! Start your motors, gentlemen!
This seems to presuppose that Secure DNS is actually in use. I was
unaware that this is the case.
What is the penetration of Secure DNS?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
fLselD6l8fdbF1p4sjg3RQ2GXi+NnQ//1CymnfKs
4+JAX1zwW3fSIStp6glgbAygK1zCuoMeiTigr4qmd
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list