OpenSSL Hit by Forgery Bug 69
Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."
Re:Google saves the day... (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
To be entirely fair, my understanding is that Bleichenbacher said "hey guys, I just found a bug in some non-openssl crypto code, you guys should check to see if you have a similar bug". It was the people from Google who said "ok, let's look through the openssl source code and see if it does anything dumb like this".
Re: (Score:2, Informative)
==============
openssl (0.9.8a-7ubuntu0.1) dapper-security; urgency=low
* SECURITY UPDATE: signature forgery in some cases.
* Apply http://www.openssl.org/news/patch-CVE-2006-4339.tx t [openssl.org]:
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent applications from incorrectly verifying the certificate.
* References:
CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt [openssl.org]
Fedora also updated (Score:2)
Re: (Score:1)
Crypto Math problem, not a Coding bug problem (Score:5, Insightful)
This isn't really a problem with buggy coding - it's a crypto math problem that is affected by implementation choices, and new crypto discoveries can hit some code harder than others. The code here was checked very thoroughly by *lots* of people, including some really strong crypto experts, because it's critical code for a lot of people. With RSA signatures, there's a public exponent "e" and a private exponent "d", and e is a pretty arbitrary prime, so it's common to pick a value that lets you do fast calculations. The popular values are 3, 65537, and occasionally 17, and it's hard to find a number x such that x**e mod n == y if you don't know d (or p and q.) The problem is that it's not so hard to find x and some junk such that (x,junk)**e mod n == (y,otherjunk), at least if e is small enough, and the standard ASN.1 code makes it easy to add arbitrary junk. 3 is small enough (and really fast to use), 17 might be, 65537 is pretty safe, and ASN.1 is the Mos Eisley of data representation protocols, a wretched hive of scum and villainy that nobody wants to mess around in. So some people do the right thing in checking the "otherjunk" beyond the y, but not everybody did, and until Bleichenbacher's attack you didn't need to.
Open Source does mean that you *can* update your copy of OpenSSL, without waiting for Microsoft Patch Day - and in the crypto world, the only way to trust anything is for the algorithms and implementation code to be documented and readable. They don't have to be "open" in the sense of "accepting patches from arbitrary people" or "free as in speech, not patented, not copyrighted, guaranteed to make RMS happy", but if you can't see the algorithms or install code you've recompiled from scratch yourself, you can't trust it.
So the fact that you've got to update OpenSSL and link it in to other code is really fine here - if you're paranoid, you need to do it yourself, and you've got the tools to do it; if you're not paranoid, this is a fairly tough exploit to actually do anything useful with, though you could go deleting a few certificates from your browser's security files if you're worried.
Re: (Score:2)
*checks outbox*
Yep, two+ weeks. I'm willing to cut slack for stories 2-3 days old, but this is ancient for a security alert.
Re:All your base belong to me! (Score:4, Funny)
all your certs are belong to me
Re:All your base belong to me! (Score:4, Funny)
I use Tic-Tacs you insensitive clod!
Apple? (Score:2)
Re: (Score:2)
Then Tiger is indeed affected, because 'i' comes before 'j'. Read the advisory again.
Re: (Score:2)
who knew (Score:4, Funny)
Who knew that OpenSSL would have ever had anything in common with a Wal-Mart cashier?
#2 for de Raadt? (Score:2)
ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique.
Did OpenBSD ship with any of this code?
If so, then wouldn't this be Theo's second pwning?
Re: (Score:1)
I hope they'll update it before launch.
Re: (Score:1, Informative)
This is old. (Score:2)
http://www.openssl.org/news/secadv_20060905.txt [openssl.org]
I would hope that all serious users of OpenSSL have already patched this. FreeBSD and Debian were on top of it the same day it was announced. Others too, no doubt.
Re: (Score:3, Informative)
I don't know about Debian, but FreeBSD didn't issue an advisory until the day after this went public. We have a very strict policy about making sure that security updates won't break anything, and OpenSSL's original patch was broken and not fixed until a day later [openssl.org].
In general you're right, though -- we hear about security issues before they go public and make sure we h
Re: (Score:3, Informative)
It wasn't really per se, but it did contain some unnecessary code. None of it was major, and I don't think it would have caused any problems, but the revised patch, which we in Debian also used, touched fewer files and was generally simpler.
in what should we trust? (Score:1)
paid service cant secure our data..and now even the 'secure' open source service cant secure it..so now what we should use? seriously man..what should we use?? any suggestion??
1.0 (Score:4, Funny)
old news (Score:4, Informative)
It also needs to be noted that the impact of this bug is not nearly as wide as a slashdot front-page headline might suggest. The FreeBSD security advisory [freebsd.org] has some good info on why. To quote: (emphasis mine)
So yeah, there may be some vulnerable sites out there, but they were already weaker than they should have been, and most sites are likely unaffected. That, coupled with the simplicity of the fix (both as provided in source form and from the OS vendors) makes this a non-story.
noah
Re: (Score:1)
The first 42 submissions of a story are rejected. The next one is posted. After that, 1337 submissions are rejected before the dupe is posted.
TINC
Re: (Score:2, Interesting)
Re:old news (Score:4, Informative)
No, the impact of this problem was wider than what the front page suggests; the same bug hit Firefox (which uses its own "NSS" SSL library, not OpenSSL), and several of the root certificates were e=3 (e=3 is a widely-recommended optimization). Long story short, Firefox, Opera, and Konqueror are all spoofable until you download patches.
The simple exploit (generate a new WELLSFARGO.COM cert and "sign" it in a way that will trick a browser into believing a root CA signed it) is literally 3 lines of Python.
You're also wrong about the crypto details: e=3 RSA is not "weaker" than e=65537. The problem is not that people used "weak" RSA parameters; the problem is that they didn't verify all the bits in an RSA-decoded signature, but instead tried to fish something that looked like a valid SHA/MD5 hash out of it. If you screw up any of the details in RSA signature verification, you're screwed, e=3, e=5, or e=65537. Conversely if you get the details right, e=3 is as secure as factoring.
It is funny that this is just hitting Slashdot now; it's weeks old.
RSA is not as secure as factoring, e=3 or not (Score:2)
In addition, any such security reduction won't apply to PKCS #1.5 - a proper padding method, like OAEP+, must be used for the security reduction to apply.
There is such a reduction for e=2 aka Rabin, but that's not RSA any more, because your equations have multiple solutions. I nonetheless recommend adoption of Rabin everywhere RSA is now used, since it's b
Re: (Score:2)
Vendors have Patched As Well (Score:3, Informative)
I don't get it (Score:1)
Re: (Score:1)
That sounds like the md5/sha hash issues. Though those would probably be exploitable on openssl too. Openssl supports hashes. Digital signatures are usually done by hashing the data first then signing the hash. (Because public key algorithms are usually slow, hashes are usually much faster)
The junk shouldn't matter. How often do you look at the source html or all the fields of a cert on secure pages? Probably never. There may be an area or field of certs which most program don't even show, so even if you
First gzip, now this. (Score:2)
I can't tell if you're being sarcastic or not. (Score:2)
Firefox, Thunderbird, Seamonkey, and Opera (Score:2)
Seamonkey had this fix applied in 1.0.5, released on 2006/09/14.
Opera had this fix applied in Opera 9.02, released on 2006/09/21.
Well (Score:1)
http://www.heise-security.co.uk/news/77800 [heise-security.co.uk]
anybody is wondering?? (Score:1)
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four ope
more and more upgrades. (Score:1)
Upgrade to version 0.9.8c, 0.9.7k or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
'No known workarounds' seems like quite an exxageration!
It's normal for technologies to be upgraded, right? But u have to admit though.. everything seems to require regular upgrading nowadays. At least once! Even humans need a so-called self-upgrading. What more t
Unpredictable Program (Score:1)
Vulnerability (Score:1)
others are affected too (Score:1)
start updating it! (Score:1)
version of open ssl (Score:1)