[dnssec-deployment] BIND and OpenSSL's RSA signature forging issue

Thierry Moreau thierry.moreau at connotech.com
Fri Sep 8 08:05:54 EDT 2006



Ben Laurie wrote:

> I've just noticed that BIND is vulnerable to:
> 
> http://www.openssl.org/news/secadv_20060905.txt
> 
> Executive summary:
> 
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
> 

See a more comprehensive report at

Hal Finney, "Bleichenbacher's RSA signature forgery based on 
implementation error" Wed, 30 Aug 2006
http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.html

"based on implementation error" is somehow relevant to understand 
exactly where the vulnerability lies. I mean "somehow relevant" because 
the specific implementation error (a missing data validation check, 
where the check is useful *only* for preventing the Bleichenbacher's RSA 
signature forgery while the forgery was previously unknown) is very 
likely to be done by even dedicated implementation developers, and 
remain undetected in the SW testing phase because of its innocuous-ness.

> Fix:
> 
> Upgrade OpenSSL.
> 

Or use the proper command-line argument in the BIND-specific 
dnssec-keygen utility?

Or fix the BIND-specific dnssec-keygen utility to use the other allowed 
value (i.e 65537) as the default?

> Issue:
> 
> Since I've been told often that most of the world won't upgrade
> resolvers, presumably most of the world will be vulnerable to this
> problem for a long time.
> 
> Solution:
> 
> Don't use exponent 3 anymore. This can, of course, be done server-side,
> where the responsible citizens live, allegedly.
> 
> Side benefit:
> 
> You all get to test emergency key roll! Start your motors, gentlemen!
> 

Responsible citizens consult their family cryptographer before selecting 
an RSA public key exponent, and they stay away from public exponent=3 
for number-theoretic reasons known only to the family cryptographers (of 
which the Bleichenbacher's RSA signature forgery is an acutely practical 
consequence)!

> Cheers,

Cheers,

> 
> Ben.
> 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com




More information about the Dnssec-deployment mailing list