[Pkg-openssl-devel] openssl 1.0.0e vulnerability
Julian Gilbey
jdg at debian.org
Thu Oct 6 12:01:31 UTC 2011
Package: openssl 1.0.0e
[This could be submitted as a bug against openssl since the attack is
public. Package maintainers copied in.]
The Wikipedia page http://en.wikipedia.org/wiki/RSA refers to a paper
http://www.eecs.umich.edu/~taustin/papers/DATE10-rsa.pdf in which a
fault-based attack on RSA is described. The authors point out a
significant security flaw in openssl 0.9.8i which appears to be still
present in 1.0.0e.
I think this is where the flaw they refer to lies:
In the file crypto/rsa/rsa_eay.c, at line 850, if the CRT-based
modular exponentiation has failed, a second attempt is tried using
bn_mod_exp (line 862 or 866). However, the results of this attempt
are NOT then verified. The paper then describes how this weakness can
be exploited.
The fix appears to be straightforward: once this alternative path is
used, the result should also be verified as it was on lines 839-850
before returning it. It verification fails, then the function should
return an error.
Julian
More information about the Pkg-openssl-devel
mailing list