[botan-devel] Security Notification: Botan 1.10.8 + 1.11.9 released

William K. Foster wkf at alum.mit.edu
Mon Apr 14 16:55:09 EDT 2014


This is missing the patch to the end of the file
src/entropy/dev_random/dev_random.cpp:

         if (got > 0) // Fix rare bug per email from Jack Lloyd 6-Feb-14.
           {
             accum.add(&io_buffer[0], got, ENTROPY_BITS_PER_BYTE);
           }


On Thu, Apr 10, 2014 at 5:10 PM, Jack Lloyd <lloyd at randombit.net> wrote:

>
> I've released new versions of Botan (1.10.8 and 1.11.9) fixing a serious
> bug in
> prime testing. A change in version 1.8.3 resulted in Miller-Rabin primality
> tests being done with a single random base rather than a sequence of such
> bases. Miller-Rabin is a probabilistic algorithm where the rate of failure
> (classifying a non-prime as prime) decreases as iterations increase, so
> having
> a single test is more or less the worst case scenario.
>
> What are the actual effects of this bug? There are two major cases:
> generating
> a new RSA key (or DSA or DH parameters), and testing an untrusted DH group
> provided by a third party (for instance during TLS DHE key exchange, where
> the
> server hands the client an arbitrary DH group). RSA generation should be
> safe;
> a proof (in http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf) shows
> that
> for *randomly* chosen n the probability of a false accept is quite low and
> and
> decreases rapidly as the size of the number increases, for instance with
> randomly chosen 600 bit numbers even a single test should fail no more
> often
> than 2^-75. In addition newly generated RSA keys are automatically checked
> for
> consistency (including checking the primes, meaning a second Miller-Rabin
> test), so in the event that a key was created with a non-prime factor, the
> self
> test would with high probability fail and the constructor would throw an
> exception.
>
> The case of DH parameter verification is rather bleaker, as obviously the
> value
> is chosen by the attacker, so about the best we can hope for is the base
> 3-in-4
> detection rate of Miller-Rabin: that is, 75% of the time we would detect
> this
> invalid prime, and 25% of the time we would not, and accept a composite as
> prime.
>
> I would like to thank Jeff Marrison for finding and reporting this issue.
>
> The only other change in 1.10.8 is a modification for HMAC, which now
> accepts
> keys as large as 512 bytes. This is primarily so PBKDF2 can accept very
> long
> passphrases.
>
> 1.11.9 has some changes to PKIX path validation; when validating we return
> a
> set of all the errors with the most severe error being provided as the
> primary
> result. This prevents a seemingly innocuous error (such as an expired
> certificate) from hiding an obviously serious error (such as an invalid
> signature). A bug that prevented OCSP from working with some common
> responders
> was also fixed. And implementations of HMAC_DRBG and the RFC 6979
> deterministic
> nonce generator were added.
>
> As always download links are at http://botan.randombit.net/download.html
>
> My apologies on the mess. From the events of this week it appears I'm at
> least
> in good company.
>
> Jack
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20140414/7e096ccd/attachment.html>


More information about the botan-devel mailing list