From: David Groep Date: Mon, 22 September 2006 18:00:00 +0200 Subject: EUGridPMA accredited CAs and OpenSSL vulnerability CVE-2006-4339 Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Impact of OpenSSL RSA key handling vulnerability (CVE-2006-4339) and the EUGridPMA accredited CAs We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Impact of OpenSSL RSA key handling vulnerability (CVE-2006-4339) ========================================================================= Recently, a vulnerability has been identified in OpenSSL, which could be exploited by attackers to bypass security restrictions. This flaw is due to an error when handling and verifying RSA keys with exponent 3, which could be exploited by attackers to forge PKCS #1 v1.5 signatures and bypass security verifications. This affects only OpenSSL 0.9.7j and prior and OpenSSL 0.9.8b and prior. (see http://www.frsirt.com/english/advisories/2006/3453) In order to aid relying parties in the risk assessment, the EUGridPMA has requested an investigation of all certificates issues by any of the Certification Authorities accredited by the PMA, to see if any of these have issued certificates based on an RSA key with public exponent 3. In the review, 12 certificates were found for which the exponent of the RSA public key is 3: - the INFN CA (covering Italy) has issued in total 10 certificates with exponents 3, 5, or 7, of which 6 are still valid. In all these cases, the certificates were issues to Cisco VPN hardware equipment. All other certificates were based on a key pair with exponent 65537 - the SWITCH Server CA (covering Switzerland) has issued 1 (one) certificate with exponent 3, also issued to a Cisco VPN system, which has since expired. All active certificates from any SWITCH CA have exponents different from 3. - the UK e-Science CA (covering the UK) has issued 1 (one) certificate with exponent 3 to a user, which has since expired. All active certificates from the UK e-Science CA have exponent 65537. The following CAs have reported that all their certificates are based on RSA key pairs with exponent 65537 (and these certificates are thus not affected by this vulnerability): CyGrid (Cyprus) IUCC (Israel) NorduGrid (Denmark, Sweden, Normay, Finland, Iceland) DataGrid-ES (Spain) BEGrid (Belgium) SiGNET (Slovenia) EstonianGrid (Estonia) SWITCH (Switzerland) NIIF/Hungarnet (Hungary) BalticGrid (Estonia, Latvia, Lithuania) CERN (CERN) ArmeSFO (Armenia) CNRS Grid-FR (France and catch-all) CESNET (Czech republic) DutchGrid (The Netherlands) GermanGrid (Germany, FZK) HellasGrid (Greece) Grid-Ireland (Republic of Ireland) PolishGrid (Poland) LIP (Portugal) Russian DG (Russia and selected CIS countries) SlovakGrid (Slovakia) DoEGrids (USA and LCG catch-all) Grid-PK (Pakistan) SEE-GRID Regional (South East European regional catch-all) AustrianGrid (Austria) DFN (Germany) RDIG (Russia) TR-Grid (Turkey) pkIRISGrid (Spain) SRCE (Croatia) GridCanana (Canada) CAs have implemented measures to prevent signing of such key pairs where possible. The INFN CA is currently investigating whether the Cisco VPN systems can generate key pairs with another exponent, but in that case the certificates are not usually used in a Grid context in combination with OpenSSL.