Exponent 3 damage spreads...
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sun Sep 10 11:43:37 EDT 2006
On Sun, Sep 10, 2006 at 08:30:53AM +1000, James A. Donald wrote:
> --
> Ben Laurie wrote:
> > Subject:
> > [dnsop] BIND and OpenSSL's RSA signature forging issue
> > From:
> > Ben Laurie <ben at algroup.co.uk>
> > Date:
> > Fri, 08 Sep 2006 11:40:44 +0100
> > To:
> > DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> > <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
> >
> > To:
> > DNSEXT WG <namedroppers at ops.ietf.org>, "(DNSSEC deployment)"
> > <dnssec-deployment at shinkuro.com>, dnsop at lists.uoregon.edu
> >
> >
> > I've just noticed that BIND is vulnerable to:
> >
> > http://www.openssl.org/news/secadv_20060905.txt
> >
> > Executive summary:
> >
> > RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> > default. Note that the issue is in the resolver, not the server.
> >
> > Fix:
> >
> > Upgrade OpenSSL.
> >
> > Issue:
> >
> > Since I've been told often that most of the world won't upgrade
> > resolvers, presumably most of the world will be vulnerable to this
> > problem for a long time.
> >
> > Solution:
> >
> > Don't use exponent 3 anymore. This can, of course, be done server-side,
> > where the responsible citizens live, allegedly.
> >
> > Side benefit:
> >
> > You all get to test emergency key roll! Start your motors, gentlemen!
>
> This seems to presuppose that Secure DNS is actually in use. I was
> unaware that this is the case.
>
> What is the penetration of Secure DNS?
hard to tell... how many delegations are there?
that said, RIPE has signed all their delegations
and the SE delegation is signed. privately, i am
aware of perhaps a dozen or so other delegations
which are signed. one might also look to the ISC
DLV registry to see which of those delegations are
signed.
--bill
>
>
> --digsig
> James A. Donald
> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
> fLselD6l8fdbF1p4sjg3RQ2GXi+NnQ//1CymnfKs
> 4+JAX1zwW3fSIStp6glgbAygK1zCuoMeiTigr4qmd
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list