You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-secur...@mozilla.org
Hi,
Given that not so long ago there was extensive discussion on this list
about certificates affected by the 2008 Debian OpenSSL bug [1] and
there seem to be related discussions in the CA/Browser Forum [2] I
wanted to share something:
It seems it is widely believed that the Debian OpenSSL bug does not
affect ECDSA / elliptic curve keys [3]. However that is not true. The
affected Debian versions used OpenSSL 0.9.8, which had support for EC
keys.
The source of this confusion seems to be a footnote in a paper
published shortly after that bug [4] ("but the version of OpenSSL
deployed on Debian-derived distributions ships without any elliptic
curve support"). That is wrong.
There's of course the question whether this matters. I did some checks
with certificate collections and I found no such keys used in the wild.
This is also maybe not surprising: In 2008 elliptic curve support in
TLS was still quite uncommon and considered unusual.
In any case: If you feel like blocking those keys is important, I have
created the different relevant variations for the typical curves p256
and p385 and shared them here (together with all the relevant RSA/DSA
variations of vulnerable keys):
https://github.com/badkeys/debianopenssl
I should note that sometimes this old openssl version seems to generate
broken keys that are not usable. I have not investigated this any
further.
If you want to verify this you may find this script helpful:
https://github.com/badkeys/debianssltools/blob/main/fetchdwkbin It fetches the archived debian openssl packages and the necessary
libraries from the dependencies so you can run them with LD_PRELOAD on
a modern system.
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Hanno Böck, dev-secur...@mozilla.org
> The source of this confusion seems to be a footnote in a paper published shortly after that bug [4] ("but the version of OpenSSL deployed on Debian-derived distributions ships without any elliptic curve support"). That is wrong.
Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA code, but it was possible for distro maintainers to easily disable this during the build process. I know that Red Hat did this due to ECC patent concerns, and I've always assumed that Debian
did too.
Have you looked into whether or not Debian's 2008 OpenSSL build process started with something like this...
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi,
Given that not so long ago there was extensive discussion on this list
about certificates affected by the 2008 Debian OpenSSL bug [1] and
there seem to be related discussions in the CA/Browser Forum [2] I
wanted to share something:
It seems it is widely believed that the Debian OpenSSL bug does not
affect ECDSA / elliptic curve keys [3]. However that is not true. The
affected Debian versions used OpenSSL 0.9.8, which had support for EC
keys.
The source of this confusion seems to be a footnote in a paper
published shortly after that bug [4] ("but the version of OpenSSL
deployed on Debian-derived distributions ships without any elliptic
curve support"). That is wrong.
There's of course the question whether this matters. I did some checks
with certificate collections and I found no such keys used in the wild.
This is also maybe not surprising: In 2008 elliptic curve support in
TLS was still quite uncommon and considered unusual.
In any case: If you feel like blocking those keys is important, I have
created the different relevant variations for the typical curves p256
and p385 and shared them here (together with all the relevant RSA/DSA
variations of vulnerable keys):
It fetches the archived debian openssl packages and the necessary
libraries from the dependencies so you can run them with LD_PRELOAD on
a modern system.
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Rob Stradling, dev-secur...@mozilla.org
On Fri, 8 Jul 2022 12:18:39 +0000
Rob Stradling <r...@sectigo.com> wrote:
> Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA
> code, but it was possible for distro maintainers to easily disable
> this during the build process. I know that Red Hat did this due to
> ECC patent concerns, and I've always assumed that Debian did too.
>
> Have you looked into whether or not Debian's 2008 OpenSSL build
> process started with something like this...
Do you have any thoughts on whether CAs should also consider the compressed and/or hybrid point conversion forms when blocking the corresponding public keys? The vulnerable Debian OpenSSL versions appear to support these point conversion forms - "openssl ecparam
-genkey -conv_form <compressed,uncompressed,hybrid>" - but AFAICT the "-conv_form" option is always ignored when "-genkey" is used.
I think the best approach is for CAs to use some sort of normalized form when performing key checks. For example: always set the public exponent to 65537 before adding an RSA public key to a blocklist (or before checking if it's already blocked); and always
convert the EC point to the uncompressed form before adding an EC public key to a blocklist (or before checking if it's already blocked).
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Fri, 8 Jul 2022 12:18:39 +0000
Rob Stradling <r...@sectigo.com> wrote:
> Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA
> code, but it was possible for distro maintainers to easily disable
> this during the build process. I know that Red Hat did this due to
> ECC patent concerns, and I've always assumed that Debian did too.
>
> Have you looked into whether or not Debian's 2008 OpenSSL build
> process started with something like this...
It doesn't.
Check here, which is one of the versions in the affected timeframe:
> I think the best approach is for CAs to use some sort of normalized
> form when performing key checks. For example: always set the public
> exponent to 65537 before adding an RSA public key to a blocklist (or
> before checking if it's already blocked); and always convert the EC
> point to the uncompressed form before adding an EC public key to a
> blocklist (or before checking if it's already blocked).
What I do in badkeys is that I don't blocklist keys, but values.
Modulus for RSA, x coordinate for EC.
For EC this makes me not worry about any encoding issues, and the x
coordinate is enough to uniquely identify a key.
For RSA there's a simple mathematical reason: If you have two keys with
the same N and different e, and one key is broken, then the other is
automatically broken as well (because if you know d you can factor N
and this calculate any other key with the same N and a different e).
The debian bug is a good example why this is a good idea: You can
create RSA keys with e=3 with that old openssl version, the default is
e=65537. If you block whole keys and you would want to consider that
you'd need to double the number of keys to block. But if you block the
modulus you already have that case covered.
Rob Stradling
unread,
Sep 13, 2022, 3:53:51 PM9/13/22
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Hanno Böck, 'Rob Stradling' via dev-security-policy@mozilla.org
> What I do in badkeys is that I don't blocklist keys, but values.
> Modulus for RSA, x coordinate for EC.
I agree that this approach makes sense.
> The debian bug is a good example why this is a good idea: You can
> create RSA keys with e=3 with that old openssl version, the default is
> e=65537. If you block whole keys and you would want to consider that
> you'd need to double the number of keys to block. But if you block the
> modulus you already have that case covered.
That's only true for a key-based blocklist system that doesn't "normalize" the keys, whereas I'm suggesting modifying the blocked keys and the candidate keys as follows...
- always set the RSA modulus to 65337
- always use the uncompressed ECC key format
- always re-encode the key to ensure canonical DER encoding
...before adding them to the blocklist or checking if they're already blocked.
I think that both your approach and my approach are valid. If starting from scratch, I'd choose your approach. My approach is a bit more complex and probably will require more care when implementing, but it might be a better fit for any CA that already has
a key-based blocklist system.
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.