

EC key generation is broken in all OpenSSL versions - rurban
https://www.mail-archive.com/openssl-dev@openssl.org/msg37790.html

======
agl
Nothing much to see here.

ECC private keys are just random numbers. The reported issue is that, if the
random number happens to be encodable in fewer bytes than expected, the spec
says that it should be padded with leading zeros, but OpenSSL doesn't do that.

For example, if you generate 32-bit random numbers, you expect a few to be
only three bytes long (and even a few to be two or one). The difference is
whether you write 0x123456 or 0x00123456. There's no security impact. At
worst, an OpenSSL-generated ECC key might be rejected by other code.

Since OpenSSL has been doing this forever (based on the report) in practice
this means that we should update the spec :)

~~~
userbinator
_At worst, an OpenSSL-generated ECC key might be rejected by other code._

Private keys are almost certainly kept private so the amount of software that
handles them is relatively limited (I'd bet that the majority of the time it's
OpenSSL), but how about _public_ ECC keys? As I understand it, they could be
embedded in certificates and signed, in which case a signature verifier that
uses the "correct" encoding might fail. However, AFAIK almost all SSL
certificates out there use RSA and ECC is pretty rare, so this problem has
little impact.

~~~
agl
ECC public keys use a different encoding (X9.62). There's nothing in the
report that suggests a problem there.

------
KenoFischer
If I'm reading this correctly it's only an encoding problem (which seems
better than generating weak keys, etc.)? What are the security implications?

~~~
hannob
Other implementations that do strict checks of the spec could reject keys
generated by openssl. This could lead to connection failures and in some cases
a retry on a less secure (or insecure) channel. Given that EC deployment on
TLS is rare anyway this will probably not happen very often.

~~~
agl
This reported issue is with private key serialisation, not with public keys.
So any issues would be at server startup time, when loading keys, rather than
with connecting clients.

~~~
hannob
Ah okay. Thanks for that correction, that makes any security implications
beyond "something doesn't work/start at all" even more unlikely.

------
beagle3
key _serialization_ ; fixing the headline would make this much less linkbaity.

~~~
tptacek
I flagged the story for the same reason. It'd be one thing if it were actually
interesting, but obviously it's on the front page because people are reacting
to the headline.

