Ben Laurie wrote:
Thierry Moreau wrote:Dear Roy: [...] Here is a suggestion for a workaroud in BIND as an OpenSSL appication: From the RSA public signature key, make a temporary RSA public encryption key (I don't know the OpenSSL API details, but key usage integrity is typically enforced by a crypto library, so the {DNSKEY RR conversion to OpenSSL RSA public signature key object} can be followed by a {DNSKEY RR conversion to OpenSSL RSA public encryption key object} using the same RSA modulus and exponent from the DNSKEY RR contents). Ask OpenSSL to encrypt the RRSIG signature payload with the temporary RSA public encryption key. Check that the padding length is adequate. This workaround in the BIND application is obviously neither a substitute for OpenSSL upgrade nor an endorsement of any public exponent 3 in any operational use of RSA cryptosystem. But it might assist the reduction of vulnerable portion of DNSSEC deployed technology (BIND version and OpenSSL version at the resolver side, DNSSEC RR public exponent values=3 anywhere along the chain of trust). This workaround idea is available to any application using OpenSSL. Feel free to circulate it in any other application forum.You don't need to work around it, since OpenSSL has been fixed for nearly a week now.
Yes, but what if it is not convenient to upgrade OpenSSL in a given run-time environment and it is possible to install or upgrade to an application that uses OpenSSL. I do not argue that it is good practice to rely on an application workaround for a cryptographic library weakness, but in some circumstances, it could be unavoidable or very effort-efficient.
Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
