Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Hit by Forgery Bug

Posted by ryuzaki0 on from the fast-fixes dept.

Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."

3 of 69 comments (clear)

  1. Re:Google saves the day... by tedgyz · · Score: 4, Informative
    Wonder if Google Desktop search can help me find all the bugs in Windows...
    While I'm as quick to fawn over Google, let's give credit to "Daniel Bleichenbacher, a cryptographer with Bell Labs" for finding it.
    --
    "No matter where you go, there you are." -- Buckaroo Banzai
  2. old news by noahm · · Score: 3, Informative
    Wow, that was like almost a month ago. All the major, and most of the minor, OS vendors and Linux distributors have long since announced released fixes. Why's it on slashdot now?

    It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory has some good info on why. To quote: (emphasis mine)

    RSA public keys may use a variety of public exponents, of which 3, 17, and 65537 are most common. As a result of a number of known attacks, most keys generated recently use a public exponent of at least 65537.
    ...
    OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

    So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.

    noah

  3. Re:old news by tqbf · · Score: 3, Informative

    No, the impact of this problem was wider than what the front page suggests; the same bug hit Firefox (which uses its own "NSS" SSL library, not OpenSSL), and several of the root certificates were e=3 (e=3 is a widely-recommended optimization). Long story short, Firefox, Opera, and Konqueror are all spoofable until you download patches.

    The simple exploit (generate a new WELLSFARGO.COM cert and "sign" it in a way that will trick a browser into believing a root CA signed it) is literally 3 lines of Python.

    You're also wrong about the crypto details: e=3 RSA is not "weaker" than e=65537. The problem is not that people used "weak" RSA parameters; the problem is that they didn't verify all the bits in an RSA-decoded signature, but instead tried to fish something that looked like a valid SHA/MD5 hash out of it. If you screw up any of the details in RSA signature verification, you're screwed, e=3, e=5, or e=65537. Conversely if you get the details right, e=3 is as secure as factoring.

    It is funny that this is just hitting Slashdot now; it's weeks old.