public key request

Brad Fitzpatrick brad at danga.com
Tue May 24 12:08:04 PDT 2005 

Quoted:

   "The lesson is simple: if you have access to DSA parameters and can alter
    them, and then obtain a message signed with the faux parameters,
    you can steal a person's private key."

Okay, so to exploit this, you have to alter my keys and have me sign
something?  Uh, if you're already on my machines, you can just get
the keys from disk or if they're encrypted on disk and only in memory,
you can read the memory.

And if the reason for the cert is so the OpenID server can trust its
own keys, what's to say the person that got onto your box didn't
change the application?

I'm still not buying it?  What's the attack I'm not seeing?

- Brad



On Tue, 24 May 2005, Andy Thomas wrote:

> Typing.. dsa flaw.. into Google brings up some plausible
> webpages for this.  Reading the top hit seems to match
> what Trevor mentions sufficiently well for me to not feel
> a total fool for sending this email...  :)  (Apologies if this
> turns out not to be the case..)
>
> andy
>
>
> On 5/24/05, Brad Fitzpatrick <brad at danga.com> wrote:
> > Every OpenID server can't just decide whether to use RSA or DSA or one key
> > format or another.  That's just asking for interop hell.  We need to make
> > one recommendation from the beginning and have everybody do that.  You
> > have a URL where I can read more about this PEM format problem?
> >
> > On Tue, 24 May 2005, Clarke, Trevor wrote:
> >
> > > Currently, opened.bml?openid.mode=getpubkey   returns a DSA pubkey in
> > > SSLeay format. This should probably be changed. This is a deprecated
> > > compat format which has some issues....mostly, it has no hash or
> > > signature associated with it so it's easy to exploit a know DSA flaw.
> > > (replacing 2 of the parameters, getting a signature, deducing the
> > > private key from the result). It should really give an x509 cert (which
> > > would allow DSA or RSA). These are also much easier to work with as most
> > > DSA libraries don't support SSLeasy format PEM public keys (just sslway
> > > and openssl AFAIK and many openssl wrappers don't support it). Could lj
> > > start exporting a cert instead of a DSA pubkey? It's pretty easy to do
> > > so with openssl...there are many recipes on the net for creating
> > > self-signed certs.
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > Trevor R.H. Clarke
> > >
> > > tclarke at ball com <mailto:tclarke at ball.com>
> > >
> > > Ball Aerospace & Technologies Corp
> > >
> > >
> > >
> > >
> > _______________________________________________
> > yadis mailing list
> > yadis at lists.danga.com
> > http://lists.danga.com/mailman/listinfo/yadis
> >
>
>

More information about the yadis mailing list