freebsd security - Sep 2006 - http://www.openssl.org/news/secadv_20060905.txt

Does anyone know the practicality of this attack ? i.e. is this trivial to do ?

         ---Mike

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

At 10:53 AM 9/5/2006, Mike Tancsa wrote:
>Does anyone know the practicality of this attack ? i.e. is this 
>trivial to do ?
Also, for RELENG_6, can someone confirm the patch referenced in

http://www.openssl.org/news/patch-CVE-2006-4339.txt

be applied with the one change of


+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too
short"},

to


+{RSA_R_PKCS1_PADDING_TOO_SHORT,"pkcs1 padding too short"},


I manually added in the diffs and everything seems to compile and 
function with some limited testing. I did

cd /usr/src/crypton/openssl/crypto/rsa
patch < p
cd /usr/src/secure
make clean
make obj
make depend
make includes
make
make install




>         ---Mike
>
>--------------------------------------------------------------------
>Mike Tancsa,                                      tel +1 519 651 3400
>Sentex Communications,                            mike@sentex.net
>Providing Internet since 1994                    www.sentex.net
>Cambridge, Ontario Canada                         www.sentex.net/mike
>
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p
Type: application/octet-stream
Size: 2392 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060905/d5d85314/p.obj

Mike Tancsa wrote:
> Does anyone know the practicality of this attack ? i.e. is this trivial
> to do ?
I'm as surprised by this as you are -- usually I get advance warning about
upcoming OpenSSL issues via vendor-sec -- but on first glance it looks like
this attack is indeed trivial.

Also, it looks like the attack isn't limited to keys with a public exponent
of 3; unless I misunderstand the bug, it affects small exponents generally.
An exponent of 17 on a 4096-bit key is almost certainly vulnerable; beyond
that I would need to read the ASN code to confirm.

Keys with a public exponent of 65537 are absolutely not vulnerable to this
attack.

Colin Percival