[Servercert-wg] Updating BR 6.1.1.3

Roland Shoemaker roland at letsencrypt.org
Fri Apr 17 18:24:43 MST 2020


> As stated in my previous messages, you need to check for all 11 platforms
supported by Debian at the time of the vulnerability to have a complete
check and faithful implementation of the algorithm.

I'm not sure this is correct, the information in the presentation does seem
to imply this but testing it by generating lists on both PowerPC and SPARC
(both 32bit big endian) results in identical output (at least for as long
as I left them spinning). The Debian wiki also seems to suggest that the
combination of word size + endianness are the only determining factors:

"Due to differences between endianness and sizeof(long), the output was
architecture-specific: little-endian 32bit (e.g. i386), little-endian 64bit
(e.g. amd64, ia64), big-endian 32bit (e.g. powerpc, sparc). PID 0 is the
kernel and PID_MAX (32768) is not reached when wrapping, so there were
32767 possible random number streams per architecture. This is (2^15-1)*3
or 98301."

On Fri, Apr 17, 2020 at 11:50 AM Corey Bonnell via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> > Currently, we have in the BRs an expectation that you implement an
> algorithm, which in pseudo-code is something like:
> >
> > function isDebianWeak(key) {
> >  for architecture in (le32, le64, be32) {
> >    for pid in (0...32767) {
> >      if (key == debian_key(architecture, pid, length(key),
> exponent(key)) {
> >        return true;
> >      }
> >   }
> >  return false;
> >}
>
> As stated in my previous messages, you need to check for all 11 platforms
> supported by Debian at the time of the vulnerability to have a complete
> check and faithful implementation of the algorithm. So even if CAs limit
> the set of accepted key sizes and exponents, there is still the difficult
> hurdle to overcome of enumerating all 11 platforms, especially since many
> of them are moribund. In other words, iterating over "be32", "le32", and
> "le64" is imprecise and incomplete; you need to iterate over all 11. The
> presentation you linked to in the previous email stated as such on slide 11
> ("… and each platform (x86,x64,PPC,…)"). As time goes on and this
> antiquated hardware becomes increasingly rare, this will be an increasingly
> onerous requirement. for incumbent --and especially new -- CAs.
>
> Thanks,
> Corey
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200417/57244cb8/attachment.html>


More information about the Servercert-wg mailing list