[Bug 1461834] Re: 1024-bit signing keys should be deprecated
Bob Freeman
bobfreeman at nycmail.com
Sat May 6 15:54:04 UTC 2017
Updates usually run automatically in the background, including from
PPAs, and are unencrypted. This means a man-in-the-middle can gain root
access, just by inserting their own version of one of the packages into
this network traffic, because updates run as root. They can first obtain
the public 1024 bit key from the PPA, then spend as long as they want
working out the private key, then sign their false updates with the real
private key.
A bug that allows complete compromise of most Ubuntu machines without
requiring any user involvement is a very serious bug. Why hasn't this
even been assigned to anyone, nearly 2 years after it was reported?
This makes many PPAs unusable.
https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths
'RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010'
https://www.symantec.com/page.jsp?id=1024-bit-migration-faq#issue
In compliance with Certification Authority/Browser forum requirements based on NIST Special Publication 800-131A, at the end of 2013 all web browsers and Certification Authorities (CAs) will no longer sell or support 1024-bit RSA certificates. All certificates less than 2048-bit key length will need to be revoked and replaced with certificates with a higher encryption strength.
Network connections are secured with at least 2048 bits. Installing
software allows root access and should probably be secured with at least
4096 bits.
Any system using keys has to have a way to change to a new key, that's a basic requirement.
You could force all 1024 bit keys to 4096 bits - this might break existing updates, but they are already 'broken' by being vulnerable. Or sign with 2 keys, so a new subscriber will only use the newer one, but old subscribers who don't do anything about it will still use the old key. Or re-issue the entire PPA namespace, ie ppa2:... Or do some other such thing, eg update the client to include a newer protocol version number in its requests.
A simple workaround for launchpad to apply would be to change the urls
in files in /etc/apt/sources.list.d/ to use https://ppa.launchpad.net/
instead of http://ppa.launchpad.net/ (and change the server to support
it). This would only need to be done for any PPA still using a 1024 bit
key. Then at least the packages would be authenticated by TLS, which
already uses 2048 bit keys.
** Also affects: launchpad
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1461834
Title:
1024-bit signing keys should be deprecated
Status in Launchpad itself:
New
Status in apt package in Ubuntu:
Confirmed
Bug description:
1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and
more recently by others[3].
1024-bit signing keys are insufficient to guarantee the authenticity
of software distributed from Launchpad.net including PPAs. There
should be a mechanism to refuse signing keys below a minimum key
length based on key type. 1024-bit signing keys should be deprecated
and removed from Launchpad.net itself ASAP. Future projects and PPAs
should be disallowed from using 1024-bit signing keys.
1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions
More information about the foundations-bugs
mailing list