Akamai Diversity

The Akamai Blog

Heartbleed Update (v3)

Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys.  We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community.  The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.
In short: we had a bug.  An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.  In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p.  These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability.  Given any CRT value, it is possible to calculate all 6 critical values.
As a result, we have begun the process of rotating all customer SSL keys/certificates.  Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. 
In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection.

3 Comments

So in short even if you are protecting the d, p and q you can still calculate all 6 critical values ?

Kudos for not only acknowledging but also directly linking to Willem Pinckaers' critical piece.

Kudos for the openness in acknowledging this issue.
Perhaps it would have been a nice touch to also openly credit the "independent security researcher" fro his/her help?

Leave a comment