[openssl-dev] [openssl.org #4191] Re: Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix via RT
rt at openssl.org
Mon Dec 21 11:52:29 UTC 2015
P.S.
Problem still exists in Version 0.9.8zh.
Regards,
Felix
Am 21.12.2015 12:00, schrieb Felix:
> Hello,
>
> I found out, that in openssl 0.9.8 a check is missing for duplicate
> primes of p and q, see below. This is relevant when generating RSA-Keys:
>
>
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .......+++++++++++++++++++++++++++
> .+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -----BEGIN RSA PRIVATE
> KEY-----
> MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC
> CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/
> Pr0Uvg==
> -----END RSA PRIVATE KEY-----
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++++++++++++++++++++++++++
> .+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -----BEGIN RSA PRIVATE
> KEY-----
> MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB
> AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu
> HHeujcFd/Q==
> -----END RSA PRIVATE KEY-----
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .........+++++++++++++++++++++++++++
> ...+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -----BEGIN RSA PRIVATE
> KEY-----
> MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR
> AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj
> yqUIUes=
> -----END RSA PRIVATE KEY-----
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ..+++++++++++++++++++++++++++
> .+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -----BEGIN RSA PRIVATE
> KEY-----
> MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V
> AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW
> mLQFBXBWbw==
> -----END RSA PRIVATE KEY-----
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++++++++++++++++++++++++++
> .+++++++++++++++++++++++++++
> e is 65537 (0x10001)
> p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -----BEGIN RSA PRIVATE
> KEY-----
> MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC
> CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz
> yUnU6g==
> -----END RSA PRIVATE KEY-----
> root at debian6:/home/felix/Downloads/openssl-0.9.8o/apps#
>
>
> As, in my environment, p qnd q are identical in about 50% of the
> cases, this is in my opinion a big security hole, because p and q can
> be determined from N by calculating the square-root of N.
>
> I will try to test this with a newer release of openssl as well.
>
> Thank you.
>
> Regards,
>
> Felix
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list