Exponent 3 damage spreads...

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sun Sep 10 11:43:37 EDT 2006 

On Sun, Sep 10, 2006 at 08:30:53AM +1000, James A. Donald wrote:
>     --
> Ben Laurie wrote:
> > Subject:
> > [dnsop] BIND and OpenSSL's RSA signature forging issue
> > From:
> > Ben Laurie <ben at algroup.co.uk>
> > Date:
> > Fri, 08 Sep 2006 11:40:44 +0100
> > To:
> > DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> > <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
> >
> > To:
> > DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> > <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
> >
> >
> > I've just noticed that BIND is vulnerable to:
> >
> > http://www.openssl.org/news/secadv_20060905.txt
> >
> > Executive summary:
> >
> > RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> > default. Note that the issue is in the resolver, not the server.
> >
> > Fix:
> >
> > Upgrade OpenSSL.
> >
> > Issue:
> >
> > Since I've been told often that most of the world won't upgrade
> > resolvers, presumably most of the world will be vulnerable to this
> > problem for a long time.
> >
> > Solution:
> >
> > Don't use exponent 3 anymore. This can, of course, be done server-side,
> > where the responsible citizens live, allegedly.
> >
> > Side benefit:
> >
> > You all get to test emergency key roll! Start your motors, gentlemen!
> 
> This seems to presuppose that Secure DNS is actually in use.  I was 
> unaware that this is the case.
> 
> What is the penetration of Secure DNS?

	hard to tell... how many delegations are there?
	that said, RIPE has signed all their delegations
	and the SE delegation is signed.  privately, i am
	aware of perhaps a dozen or so other delegations 
	which are signed.  one might also look to the ISC
	DLV registry to see which of those delegations are
	signed.

--bill
> 
> 
>     --digsig
>          James A. Donald
>      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>      fLselD6l8fdbF1p4sjg3RQ2GXi+NnQ//1CymnfKs
>      4+JAX1zwW3fSIStp6glgbAygK1zCuoMeiTigr4qmd
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list