Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix
felix.wiedenroth at gmx.de
Mon Dec 21 11:00:17 UTC 2015
Hello,
I found out, that in openssl 0.9.8 a check is missing for duplicate
primes of p and q, see below. This is relevant when generating RSA-Keys:
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa
128
Generating RSA private key, 128 bit long modulus
.......+++++++++++++++++++++++++++
.+++++++++++++++++++++++++++
e is 65537 (0x10001)
p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -----BEGIN RSA PRIVATE
KEY-----
MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC
CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/
Pr0Uvg==
-----END RSA PRIVATE KEY-----
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa
128
Generating RSA private key, 128 bit long modulus
.+++++++++++++++++++++++++++
.+++++++++++++++++++++++++++
e is 65537 (0x10001)
p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -----BEGIN RSA PRIVATE
KEY-----
MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB
AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu
HHeujcFd/Q==
-----END RSA PRIVATE KEY-----
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa
128
Generating RSA private key, 128 bit long modulus
.........+++++++++++++++++++++++++++
...+++++++++++++++++++++++++++
e is 65537 (0x10001)
p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -----BEGIN RSA PRIVATE
KEY-----
MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR
AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj
yqUIUes=
-----END RSA PRIVATE KEY-----
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa
128
Generating RSA private key, 128 bit long modulus
..+++++++++++++++++++++++++++
.+++++++++++++++++++++++++++
e is 65537 (0x10001)
p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -----BEGIN RSA PRIVATE
KEY-----
MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V
AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW
mLQFBXBWbw==
-----END RSA PRIVATE KEY-----
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa
128
Generating RSA private key, 128 bit long modulus
...+++++++++++++++++++++++++++
.+++++++++++++++++++++++++++
e is 65537 (0x10001)
p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -----BEGIN RSA PRIVATE
KEY-----
MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC
CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz
yUnU6g==
-----END RSA PRIVATE KEY-----
root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps#
As, in my environment, p qnd q are identical in about 50% of the cases,
this is in my opinion a big security hole, because p and q can be
determined from N by calculating the square-root of N.
I will try to test this with a newer release of openssl as well.
Thank you.
Regards,
Felix
More information about the openssl-bugs-mod
mailing list