|
Message-Id: <200905080842.17335.aj@dungeon.inka.de> Date: Fri, 8 May 2009 08:42:17 +0200 From: Andreas Jellinghaus <aj@...geon.inka.de> To: oss-security@...ts.openwall.com Subject: OpenSC 0.11.8 released with security update OpenSC 0.11.8 was released yesterday with a security update. The security problem in short: you need a combination of 1.) a tool that startes a key generation with public exponent set to 1 (an invalid value that causes an insecure rsa key) 2.) a PKCS#11 module that accepts that this public exponent and forwards it to the card 3.) a card that accepts the public exponent and generates the rsa key. OpenSC is insecure because due to a code bug in pkcs11-tool it had the wrong public exponent. But OpenSC PKCS#11 module is secure, it ignores the public exponent. So only if you generate your keys with pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if you used it with sone other vendors PKCS#11 module, and only if the card accepted the bogus value too, then your rsa key is unsecure. you can easily verify keys by looking at the rsa public key or a certificate or certificate request, for example the openssl command line tools can print the content in plain text. public Exponent = 1 is bad (3 and higher are accepted values, 65537 or higher is suggested by the NIST). Here is the full security advisory. No CVE included, as I was not able to get one from distributions, vendor-sec or mitre. OpenSC Security Advisory [07-May-2009] ====================================== pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537 OpenSC includes a tool for testing its PKCS#11 module called pkcs11-tool. This command line tool includes the ability to ask the PKCS#11 module to generate an RSA key pair. The tool used to default to a key size of 768 bits and a public exponent of 3. These values are considered small but ok. In december 2008 a change (SVN commit 3602) changed these values to more secure default values of 1024 bit key size and a public exponent of 65537. A bug in that code however caused the default public exponent to be 1. That value is invalid and insecure, a message encrypted with it will be unencrypted. If pkcs11-tool is used with the PKCS#11 module included in OpenSC, there is no security issue, as OpenSC PKCS#11 module ignores any public exponent passed to it. Only when pkcs11-tool is used with other third party PKCS#11 Modules the problem comes up. Thanks to Miquel Comas MartÃ, who found and fixed this bug and contacted us on May 7th, 2009. This bug only affects users of OpenSC SVN trunk or OpenSC release 0.11.7. Older releases do not contain this problem, and the new OpenSC release 0.11.8 fixes this problem. Only users of the command line tool "pkcs11-tool" are affected by this problem, and only the generate rsa key pair function is affected ("--keypairgen" or "-k"). There is no option to configure the public exponent using the command line tool, so all such uses are affected. The command line tool "pkcs11-tool" can be used with the OpenSC PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any other PKCS#11 module. Only when used with other PKCS#11 module the problem arrises, as the OpenSC PKCS#11 Module ignores the public exponent passed to it. If you use a third party PKCS#11 Module with pkcs11-tool you can use openssl with engine_pkcs11 to create a certificate signing request and then use openssl to analyze that csr, for example openssl req -in req.pem -noout -text ... Exponent: 1 (0x1) ... Would show the problem. The problem is fixed with the new OpenSC release 0.11.8 available on http://www.opensc-project.org/ or here: http://www.opensc-project.org/files/opensc/opensc-0.11.8.tar.gz md5sum opensc-0.11.8.tar.gz a269b478b18dddb648b9bd930206b5a8 opensc-0.11.8.tar.gz sha1sum opensc-0.11.8.tar.gz 4a320b0cc3bc3de5843ab6af677093d98d4cf318 opensc-0.11.8.tar.gz sha256sum opensc-0.11.8.tar.gz 3713eff46d231e0b37c1fdba3d3d640716fe0edd875df57578643f0d9f221361 If you prefer to patch your source code, please apply this patch: --- src/tools/pkcs11-tool.c (Revision 3687) +++ src/tools/pkcs11-tool.c (Revision 3688) @@ -1035,7 +1035,7 @@ { CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0}; CK_ULONG modulusBits = 1024; - CK_BYTE publicExponent[] = { 65537 }; + CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in bytes */ CK_BBOOL _true = TRUE; CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; Contact and Feedback ==================== If you have questions or feedback, please do not hesitate to contact us on our mailing lists "opensc-devel" or "opensc-user". You need to subscribe to these lists before posting, as we are getting a lot of spam each day and do not have the resource to sort out valid email. Also our wiki and bug trackers are only working for old users. New users can't register at the moment, both wiki and the bug tracker was spammed too much. Please send an email to the mailing list and we can manually create a user for you. Regards, Andreas Jellinghaus aj at opensc-project.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.