Hanno and Julien, thanks for confirming that EC key generation was enabled in the affected Debian distributions.
https://github.com/CVE-2008-0166/key_generator is now able to generate the secp256r1 and secp384r1 keypairs that are predictable (due to the CVE-2008-0166 vulnerability), and I've generated and added the private keys (uncompressed, with named curve parameters, in SEC1 format) to https://github.com/CVE-2008-0166/private_keys. Do you have any thoughts on whether CAs should also consider the compressed and/or hybrid point conversion forms when blocking the corresponding public keys? The vulnerable Debian OpenSSL versions appear to support these point conversion forms - "openssl ecparam -genkey -conv_form <compressed,uncompressed,hybrid>" - but AFAICT the "-conv_form" option is always ignored when "-genkey" is used. I think the best approach is for CAs to use some sort of normalized form when performing key checks. For example: always set the public exponent to 65537 before adding an RSA public key to a blocklist (or before checking if it's already blocked); and always convert the EC point to the uncompressed form before adding an EC public key to a blocklist (or before checking if it's already blocked). BTW Hanno, there are some discrepancies between the predictable EC keypairs in https://github.com/CVE-2008-0166/private_keys and the ones in https://github.com/badkeys/debianopenssl : - In around half of your "noreadrnd" (aka "nornd-old") keys, the public key BITSTRING has a nonzero "unused bits" octet. (AIUI, the "unused bits" should always be zero, because https://www.rfc-editor.org/rfc/rfc5915#section-3 defers to https://www.rfc-editor.org/rfc/rfc5480#section-2.2, which defines the public key as an OCTET STRING). - Some of your "noreadrnd" key files cannot be parsed by "openssl ec". For example, 10211-nornd-old.key is missing a trailing 0x00 byte at the end of the public key. (Compare that against https://github.com/CVE-2008-0166/private_keys/blob/main/le32/secp256r1/secp256r1_10211_noreadrnd_le32.key) ________________________________ From: Hanno Böck <ha...@hboeck.de> Sent: 08 July 2022 13:29 To: Rob Stradling <r...@sectigo.com> Cc: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> Subject: Re: Debian Weak Keys and ECDSA CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Fri, 8 Jul 2022 12:18:39 +0000 Rob Stradling <r...@sectigo.com> wrote: > Hi Hanno. I agree that the OpenSSL 0.9.8 branch contained ECDSA > code, but it was possible for distro maintainers to easily disable > this during the build process. I know that Red Hat did this due to > ECC patent concerns, and I've always assumed that Debian did too. > > Have you looked into whether or not Debian's 2008 OpenSSL build > process started with something like this... It doesn't. Check here, which is one of the versions in the affected timeframe: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnapshot.debian.org%2Fpackage%2Fopenssl%2F0.9.8g-3%2F&data=05%7C01%7Crob%40sectigo.com%7Cda868d0fd6094e398c1f08da60dd9422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928802043772405%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o9K9jjndY9k2umKWQl6HwWzBK%2BcPl%2B36wlTnoeWuedQ%3D&reserved=0 openssl_0.9.8g-3.diff.gz adds a few no-* options to the compilation, but not no-ec. Also given I actually created ec keys with those affected versions I am pretty sure they haven't disabled it :-) -- Hanno Böck https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhboeck.de%2F&data=05%7C01%7Crob%40sectigo.com%7Cda868d0fd6094e398c1f08da60dd9422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637928802043772405%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AVPkzrzJtWYspxoLljMMUqxAHp3PJZWLRwR%2Fmp%2Fwekk%3D&reserved=0 -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729BC8B8B673A4614A32F1CAA899%40MW4PR17MB4729.namprd17.prod.outlook.com.
