[Pkg-openssl-devel] Bug#440538: openssl: sect239k1 testsuite failure, looks like a weak key

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sat Nov 20 10:00:49 UTC 2010 

the following got reported as Debian bug #440538 [0]. I tried to track
it down with latest release of openssl available in Debian (0.9.8o-3).
Here is what I got so far:

ecdsatest.c has a test function named test_builtin() which does the
following (the important part):
1. create a random digest (RAND_pseudo_bytes, digest)
2. select a curve. In this case curve 31, sect239k1
3. create a key (eckey, EC_KEY_generate_key)
4. create a signature with key & digest (ECDSA_sign)
5. compute offset (signature[10] % sig_len)
6. compute dirt (signature[11])
7. xor signature[offset] with dirt
8. verify the modified signature (ECDSA_verify)

Now, the test fails because step 8 returns "correct" which should be
wrong because the signature got modified.
Here are the data structures I recoved from the test case at the time it
went wrong:
- the digest:
        0x57, 0x1b, 0xce, 0x73, 0x44, 0x75, 0x43, 0x6f, 0xbe, 0xa5,
        0xc7, 0x74, 0xa3, 0xe1, 0x06, 0x60, 0xd1, 0xae, 0x61, 0x17

- the eckey dumped with EC_KEY_print:
   Private-Key: (238 bit)
                priv:
                    16:b0:3e:78:68:7b:1b:b3:0b:04:dc:c6:e6:f7:c2:
                    e3:5e:31:f1:08:99:00:f3:97:0a:a9:ea:f1:f0:23
                pub: 
                    04:4a:57:e5:9f:6a:be:e0:97:d3:6a:c2:07:e0:e5:
                    27:0b:db:8a:56:9a:f9:08:61:fd:75:2b:8f:cd:00:
                    0b:3b:7b:63:92:71:b7:b2:ef:13:a7:89:14:1d:c7:
                    bb:b6:0c:d2:05:f9:2f:01:9b:ed:93:a3:43:05:db:
                    e0
                Field Type: characteristic-two-field
                Basis Type: tpBasis
                Polynomial:
                    00:80:00:00:00:00:00:00:00:00:00:40:00:00:00:
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                    01
                A:    0
                B:    1 (0x1)
                Generator (uncompressed):
                    04:29:a0:b6:a8:87:a9:83:e9:73:09:88:a6:87:27:
                    a8:b2:d1:26:c4:4c:c2:cc:7b:2a:65:55:19:30:35:
                    dc:76:31:08:04:f1:2e:54:9b:db:01:1c:10:30:89:
                    e7:35:10:ac:b2:75:fc:31:2a:5d:c6:b7:65:53:f0:
                    ca
                Order: 
                    20:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                    5a:79:fe:c6:7c:b6:e9:1f:1c:1d:a8:00:e4:78:a5
                Cofactor:  4 (0x4)

- the signature:
          40 02 1e 1e cd c7 35 0e 0e a7
          9e a6 0f 7e 02 b9 7c e8 aa eb
          54 47 5e 16 05 31 95 b5 41 11
          7b 2f 1e 02 1e 0b 19 a4 c5 d8
          2d c4 e3 25 dc 53 8e 89 01 5f
          1b 37 32 5a 6b da 2c 17 b5 41
          80 ee 14 60 ea 


- offset	[10] = 0xa7
- dirt		[11] = 0x9e
- modification	[35] = 0x1e => 0x80

Could it be possible that this curve is weak or should just the key be
verified and excluded if such a weakness is discovered?

If one wants a different function / method to dump the key or something
else please say so :)

[0] http://bugs.debian.org/440538

Sebastian

More information about the Pkg-openssl-devel mailing list