View Issue Details

IDProjectCategoryView StatusLast Update
0000444bareos-core[All Projects] installer / packagespublic2015-09-01 11:10
ReporteraefAssigned Tomaik 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status resolvedResolutionfixed 
Platformx86_64OSDebian GNU/LinuxOS Version7 "Wheezy"
Product Version 
Fixed in Version 
Summary0000444: OpenPGP certificate for the release repository is too weak.
DescriptionThe OpenPGP certificate used for signatures on the release repository for Debian systems features an RSA keypair of insufficient length (1024 bit).

I recommend replacing the current certificate with an RSA keypair of at least 3072 bit length. The Debian operating system uses 4096 bit RSA keypairs to secure its own repositories at least since the release of Debian 7 "Wheezy" in 2013.
Additional InformationIn the introduction of their report on "Factorization of a 768-Bit RSA Modulus" in 2010, Thorsten Kleinjung et al. stated the following:

"The Because the factorization of a 512-bit RSA modulus was first reported in 1999, it is not unreasonable to expect that 1024-bit RSA moduli can be factored well within the next decade by a similar academic effort. Thus, it would be prudent to phase out usage of 1024-bit RSA within the next three to four years." (so between 2013 and 2014, Source: https://eprint.iacr.org/2010/006.pdf )

The "Algorithms, Key Sizes and Parameters Report" by the European Union Agency for Network and Information Security (ENISA), released in November 2014, recommends RSA key sizes of 3072 bit length for short term usage (until about 2023). ( Source: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014 )

The German "Bundesnetzagentur" in their "Algorithmenkatalog" of 2013 recommends RSA keys of at least 2048 bit length to be secure until 2019. ( Source: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/QES/Veroeffentlichungen/Algorithmen/2013Algorithmenkatalog.pdf?__blob=publicationFile&v=1 )

The German "Bundesamt für Sicherheit in der Informationstechnik" (BSI) in 2015 states a current minimum RSA key length of 2000 bits. Also it is stated, that starting in 2017 it is planned to recommend the removal of all RSA key sizes lower than 3000 bit. (Source: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102_pdf.pdf?__blob=publicationFile )
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionwill care
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impactyes
bareos-15.2: actionfixed
bareos-14.2: impactyes
bareos-14.2: actionnone
bareos-13.2: impactyes
bareos-13.2: actionnone
bareos-12.4: impactyes
bareos-12.4: actionnone

Relationships

child of 0000501 closedmaik bareos-core Release bareos-15.2.1 

Activities

aef

aef

2015-03-24 03:33

reporter   ~0001334

Here the certificate data:

pub 1024D/0x7A855ABDE0F8EFD4 2013-02-10 [expires: 2017-02-26]
      Key fingerprint = 2FC0 4F7E 3421 E21B 70F3 231F 7A85 5ABD E0F8 EFD4
uid bareos OBS Project <bareos@obs.bareos.org>
joergs

joergs

2015-04-07 18:41

administrator   ~0001680

Maik, while changing the signing key now might cause trouble, we should at least create a more secure signing key for the bareos-15.2 release.
joergs

joergs

2015-08-31 12:43

administrator   ~0001816

bareos-15.2 will be signed with:

pub 4096R/093BFBA2 2015-08-24 [expires: 2021-02-13]
      Key fingerprint = 0143 857D 9CE8 C2D1 82FE 2631 F93C 028C 093B FBA2
uid Bareos Packaging Signing Key <signing@bareos.com>

Key information are available at http://www.bareos.org/en/download.html
and the key is uploaded to various key servers:
https://sks-keyservers.net/pks/lookup?op=vindex&search=signing@bareos.com

Issue History

Date Modified Username Field Change
2015-03-24 03:29 aef New Issue
2015-03-24 03:33 aef Note Added: 0001334
2015-03-25 16:42 joergs Status new => acknowledged
2015-04-07 18:40 joergs Assigned To => maik
2015-04-07 18:40 joergs Status acknowledged => assigned
2015-04-07 18:41 joergs Note Added: 0001680
2015-08-10 14:36 maik Relationship added child of 0000501
2015-08-10 14:38 maik bareos-master: impact => yes
2015-08-10 14:38 maik bareos-master: action => will care
2015-08-10 14:38 maik bareos-14.2: action => none
2015-08-10 14:38 maik bareos-13.2: impact => yes
2015-08-10 14:38 maik bareos-13.2: action => none
2015-08-10 14:38 maik bareos-12.4: impact => yes
2015-08-10 14:38 maik bareos-12.4: action => none
2015-08-10 14:38 maik bareos-15.2: action => will care
2015-08-10 14:38 maik bareos-15.2: impact => yes
2015-08-31 12:43 joergs Note Added: 0001816
2015-09-01 11:10 joergs bareos-14.2: impact => yes
2015-09-01 11:10 joergs bareos-15.2: action will care => fixed
2015-09-01 11:10 joergs Status assigned => resolved
2015-09-01 11:10 joergs Resolution open => fixed