[Servercert-wg] SCXX Ballot proposal: Debian Weak keys
Rob Stradling
rob at sectigo.com
Tue Jan 5 17:09:46 UTC 2021
Jacob wrote:
> My reasoning: Given the difficulty of correctly setting up old Debian versions and generating weak keys for sizes that are not part of openssl-blacklist, I expect most CAs will choose this path. Given that, we should just say what we mean: the pregenerated list is fine if you restrict key sizes, but you don't *have* to restrict key sizes, so long as you have an alternate method to ensure you're not issuing for Debian weak keys at other sizes.
I generated some additional Debian weak key lists back in 2008 (which are still available at https://secure.sectigo.com/debian_weak_keys/), and even back then it was not a trivial task. Since I still had a copy of my code lying around (and since there wasn't much else going on during Twixmas 😉 ), I figured I could turn it into a tool that's much easier for anyone to use...
https://github.com/CVE-2008-0166
The "key_generator" repository has tools to generate Debian weak keys and blocklists - for all 9 of the word size / endianness combinations - using just a modern 64-bit Linux system.
The "openssl_blocklists" and "private_keys" repositories are currently empty, but I will populate them when I can. Generating 294,912 RSA keypairs per keysize is going to take a while... 🙂
For Sectigo, I'm planning to discontinue our use of the openssl-blacklist format (i.e., SHA-1("Modulus=...") ), and to use SubjectPublicKeyInfo for all of our weak/compromised key checks. SPKIs can't be obtained from SHA-1("Modulus=..."), but once I've populated the "private_keys" repository I will have what I need.
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Jacob Hoffman-Andrews via Servercert-wg <servercert-wg at cabforum.org>
Sent: 12 December 2020 02:21
To: Christopher Kemmerer <chris at ssl.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] SCXX Ballot proposal: Debian Weak keys
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Thanks for your continued efforts to improve this part of the BRs! Let's Encrypt is in theory interested in endorsing, but I think it still needs a bit of work. Thanks for incorporating my most recent comments on endianness and word size vs 11 platforms.
Goals: We want CAs to consistently not issue certificates for weak keys in general, and also in the specific case of Debian and ROCA keys. We want the definition of Debian and ROCA keys to be clear and actionable for as long as possible - say, at least twenty years.
We have three ways to specify Debian and ROCA keys: With a list, with a tool, or with an algorithm*. The original revision of this ballot proposed to use a list (https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7C725d14b0028d483970d608d89e44afd7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637433365135815531%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o0lw97H4L%2FCCP0YpBPPD9BkpSKF3GxENe6a3zJ%2FZfQ8%3D&reserved=0>). There were two objections:
- The list (openssl-blacklist) is subject to change or removal.
- The list only covers 2048 and 4096 bit keys.
The current draft proposes specifying a tool for ROCA (https://github.com/crocs-muni/roca<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7C725d14b0028d483970d608d89e44afd7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637433365135825523%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fzEpy%2Bnzn4VIuysD6Os0y8QwLbn5AMcpi6pppPmUafM%3D&reserved=0>) and an algorithm for Debian keys.
The ROCA tool is subject to change or removal, just like the openssl-blacklist package. I propose we instead specify ROCA detection in terms of the paper (https://crocs.fi.muni.cz/public/papers/rsa_ccs17<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7C725d14b0028d483970d608d89e44afd7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637433365135835517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uSJlr5l%2B%2BV%2FSdLl2pXAlm99KamucJ9za0CPyrkJZLBI%3D&reserved=0>) and ask for permission from the authors to archive an unchanging copy as an addendum to the BRs.
For Debian keys, what looks like an algorithm specification is actually a tool + algorithm specification. The tool is "OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems" (per CVE-2008-01666 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7C725d14b0028d483970d608d89e44afd7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637433365135835517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tMrATEIilzafZgpkuPskXI%2BqOtEbV32Ifi3tXZAYtCc%3D&reserved=0>). To ensure an unchanging copy of that, we should archive 3 copies of Debian, for the 3 word size + endianness combinations.
The algorithm also needs an additional line: "v) using the command 'openssl req -nodes -subj / -newkey rsa:<Public Key length>'" (adapted from https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7C725d14b0028d483970d608d89e44afd7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637433365135845510%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gqJerriYbuEngbYTuTC96PiqEq5OVIyw3NYqPZX6hZ0%3D&reserved=0>). Other tools that linked OpenSSL, like openvpn and openssh, generated different sets of keys. We can include or exclude openvpn and openssh keys, but should thoroughly specify.
Lastly, I think we should archive openssl-blacklist, and include in the BRs: "A CA may reject the full set of Debian weak keys by rejecting this superset of the Debian weak keys:
- All RSA public keys with modulus lengths other than 2048 or 4096, and
- All RSA public keys with exponents other than 65537, and
- All RSA public keys that are detected as vulnerable by the openssl-vulnkey program in the openssl-blacklist package version 0.5-3 (see addendum), or an equivalent program."
My reasoning: Given the difficulty of correctly setting up old Debian versions and generating weak keys for sizes that are not part of openssl-blacklist, I expect most CAs will choose this path. Given that, we should just say what we mean: the pregenerated list is fine if you restrict key sizes, but you don't *have* to restrict key sizes, so long as you have an alternate method to ensure you're not issuing for Debian weak keys at other sizes.
*I'm considering specifying an algorithm to be functionally equivalent to specifying an "outcome," though I recognize this may be too hand-wavy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210105/ca95c5c1/attachment-0001.html>
More information about the Servercert-wg
mailing list