[dnssec-deployment] BIND and OpenSSL's RSA signature forging issue
thierry.moreau at connotech.com
Fri Sep 8 08:05:54 EDT 2006
Ben Laurie wrote:
> I've just noticed that BIND is vulnerable to:
> Executive summary:
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
See a more comprehensive report at
Hal Finney, "Bleichenbacher's RSA signature forgery based on
implementation error" Wed, 30 Aug 2006
"based on implementation error" is somehow relevant to understand
exactly where the vulnerability lies. I mean "somehow relevant" because
the specific implementation error (a missing data validation check,
where the check is useful *only* for preventing the Bleichenbacher's RSA
signature forgery while the forgery was previously unknown) is very
likely to be done by even dedicated implementation developers, and
remain undetected in the SW testing phase because of its innocuous-ness.
> Upgrade OpenSSL.
Or use the proper command-line argument in the BIND-specific
Or fix the BIND-specific dnssec-keygen utility to use the other allowed
value (i.e 65537) as the default?
> Since I've been told often that most of the world won't upgrade
> resolvers, presumably most of the world will be vulnerable to this
> problem for a long time.
> Don't use exponent 3 anymore. This can, of course, be done server-side,
> where the responsible citizens live, allegedly.
> Side benefit:
> You all get to test emergency key roll! Start your motors, gentlemen!
Responsible citizens consult their family cryptographer before selecting
an RSA public key exponent, and they stay away from public exponent=3
for number-theoretic reasons known only to the family cryptographers (of
which the Bleichenbacher's RSA signature forgery is an acutely practical
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Canada H2M 2A1
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
More information about the Dnssec-deployment