Package: opensc Severity: grave Tags: security Tags: patch Hi,
There is a vulnerability in opensc. Details are: | The security problem in short: you need a combination of | 1.) a tool that startes a key generation with public exponent set to 1 | (an invalid value that causes an insecure rsa key) | 2.) a PKCS#11 module that accepts that this public exponent and forwards | it to the card | 3.) a card that accepts the public exponent and generates the rsa key. | | OpenSC is insecure because due to a code bug in pkcs11-tool it had | the wrong public exponent. But OpenSC PKCS#11 module is secure, it | ignores the public exponent. So only if you generate your keys with | pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if | you used it with sone other vendors PKCS#11 module, and only if the | card accepted the bogus value too, then your rsa key is unsecure. | | you can easily verify keys by looking at the rsa public key or a | certificate or certificate request, for example the openssl command | line tools can print the content in plain text. public Exponent = 1 | is bad (3 and higher are accepted values, 65537 or higher is suggested | by the NIST). | | Here is the full security advisory. No CVE included, as I was not able | to get one from distributions, vendor-sec or mitre. | | OpenSC Security Advisory [07-May-2009] | ====================================== | | pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537 | | OpenSC includes a tool for testing its PKCS#11 module called | pkcs11-tool. This command line tool includes the ability to ask the | PKCS#11 module to generate an RSA key pair. The tool used to default to a key size | of 768 bits and a public exponent of 3. These values are considered | small but ok. In december 2008 a change (SVN commit 3602) changed | these values to more secure default values of 1024 bit key size | and a public exponent of 65537. A bug in that code however caused | the default public exponent to be 1. That value is invalid and | insecure, a message encrypted with it will be unencrypted. | | If pkcs11-tool is used with the PKCS#11 module included in OpenSC, | there is no security issue, as OpenSC PKCS#11 module ignores any | public exponent passed to it. Only when pkcs11-tool is used with | other third party PKCS#11 Modules the problem comes up. | | Thanks to Miquel Comas MartÃ, who found and fixed this bug and | contacted us on May 7th, 2009. | | This bug only affects users of OpenSC SVN trunk or OpenSC release | 0.11.7. Older releases do not contain this problem, and the new | OpenSC release 0.11.8 fixes this problem. Only users of the command | line tool "pkcs11-tool" are affected by this problem, and only the | generate rsa key pair function is affected ("--keypairgen" or "-k"). | There is no option to configure the public exponent using the | command line tool, so all such uses are affected. | | The command line tool "pkcs11-tool" can be used with the OpenSC | PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any | other PKCS#11 module. Only when used with other PKCS#11 module the | problem arrises, as the OpenSC PKCS#11 Module ignores the public | exponent passed to it. | | If you use a third party PKCS#11 Module with pkcs11-tool you | can use openssl with engine_pkcs11 to create a certificate | signing request and then use openssl to analyze that csr, | for example | openssl req -in req.pem -noout -text | ... | Exponent: 1 (0x1) | ... | | Would show the problem. Please coordinate with the security team (t...@security.debian.org) to prepare updates for the stable releases. A patch that fixes the problem follows: --- src/tools/pkcs11-tool.c (Revision 3687) +++ src/tools/pkcs11-tool.c (Revision 3688) @@ -1035,7 +1035,7 @@ { CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0}; CK_ULONG modulusBits = 1024; - CK_BYTE publicExponent[] = { 65537 }; + CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in bytes */ CK_BBOOL _true = TRUE; CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org