RavenDB Security ReportCollision in Certificate Serial Numbers
This issue in the RavenDB Security Report is pretty simple, when we generate a certificate, we need to generate a certificate serial number. We were using a random number that is 64 bits in length, but that is too small. The problem is the birthday attack. For a 64 bits number, you only need about 5 billion attempts to generate a collision. In modern cryptography, that is actually a very low security threshold.
So we fixed it and used a random value that is 20 bytes in length. Or so we thought. This single issue is worth the trouble of publicly discussing the security report. As it turned out, I didn’t read the API docs properly and used this construction:
new BigInteger(20, random);
Where the random is a cryptographically secured random number generator. The problem here is that this BigInteger constructor uses bits length, not bytes length. And that resulted in a security “fix” that actually much worse than the previous situation (you only need a bit over a thousand tries to generate a collision). This has already been fixed, obviously, but I’m very happy that it was caught.
More posts in "RavenDB Security Report" series:
- (06 Apr 2018) Collision in Certificate Serial Numbers
- (05 Apr 2018) Man in the middle for customer domains
- (04 Apr 2018) Non-high Strength RSA Keys
- (30 Mar 2018) Inconsistent Use of KDF and Master Key
- (29 Mar 2018) Redundant or Missing Authentication

Comments
Comment preview