Re: Using set_serial to control serial number size directly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 08/21/2017 09:20 AM, Salz, Rich via openssl-users wrote:
     But in doing this, I can't figure out if there is a risk on serial
     number size for a root CA cert as there is for any other cert.

I don’t understand what attack you are concerned about, but the size of the serial number should not matter for *any* certificate.

This whole subject is tied into the substitution attack found with using an MD5 hash where you could change some things in the cert and still have a valid cert. The solution, besides dropping MD5, was to include a crypto random number in the beginning of the cert, and the serial was chosen for this sacrifice. Thus how large does this random number have to be to defend against this attack? is 8 octets enough or is 20 needed?

This is to make another valid cert with a different keypair. OK, I get this for a cert signed by an issuer. But the root issuer? I don't see the attack. Thus no need to push the root cert's serial to 20 octets.

I know I am a little cavalier in describing the attack, but that was the basic point of why to move away from sequential serials to random and what size (though there are other things about CAs that can be discovered by analyzing the sequential serial numbers they used).

Meanwhile, I was wrong that -set_serial works with 'openssl ca'. The man page was talking about in conjunction with the -CA option. With 'openssl ca' use of the serial file is mandatory according to the man page. There are no command line options for it.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux