Priv key compromised?

Krischu · November 14, 2023, 11:04am

In another forum (haproxy) I posted an excerpt of a fullchain.pem file containing pieces of the actual certs, but I obfuscated the posted text by deleting a couple of lines and x'ing out parts of a line in an ec256 private key.

Now someone there told that I exposed my private key to the public and I'd better revoke it.

What I did was to overwrite 32 characters of the middle of the three lines of the ec256 private key.
Would that be too dangerous?

Osiris · November 14, 2023, 11:09am

If you didn't completely obfuscate the private key then yes, possibly.

9peppe · November 14, 2023, 11:13am

Yes. There's usually no reason to even look at a private key.

Krischu · November 14, 2023, 11:16am

If you didn't completely obfuscate the private key then yes, possibly.
This is, what I get from the acme.sh --list command.
Can I selectively revoke the ec-256 certificate?

acme@mail:~/$ acme.sh --list 
Main_Domain       KeyLength  SAN_Domains                                                                             CA           Created               Renew
www.mydomain.org  "2048"     cms.mydomain.org,other.de,mail.mydomain.org,imap.mydomain.org,smtp.mydomain.org  ZeroSSL.com  2023-11-11T10:28:08Z  2024-01-09T10:28:08Z
www.mydomain.org  "ec-256"   cms.mydomain.org,other.de,mail.mydomain.org,imap.mydomain.org,smtp.mydomain.org  ZeroSSL.com  2023-11-11T10:00:06Z  2024-01-09T10:00:06Z
acme@mail:~/$

webprofusion · November 14, 2023, 12:08pm

Personally I'd say, find my key from this and I'll give you $500. Yes you can revoke an individual cert and then request a new one. I assume acme.sh uses a new key every time but best check.

rg305 · November 14, 2023, 12:38pm

I'd say:

revoke
remove completely [including cert(s), key(s), csr(s)]
get a new one

Krischu · November 14, 2023, 12:41pm

What do you mean by "no reason to look at the private key"?
HAPROXY requires to have the private key together with the fullchain in one file.

9peppe · November 14, 2023, 1:35pm

I mean there is no reason for human eyes to ever see the private key.

You can concatenate key and fullchain without looking at them, using cat. (cat file1 file2 > fileboth)

Krischu · November 14, 2023, 1:38pm

@9peppe : Sure. Misunderstood you. The concatenation is already done by the deploy-hook script of haproxy.

Nummer378 · November 14, 2023, 3:43pm

By default acme.sh reuses keypairs on renewal, unless --always-force-new-domain-key is given.

github.com

acmesh-official/acme.sh/blob/377a37e4c9c23bb6988fe5f8863f21b19d3e3a40/acme.sh#L6960


      
          --no-color                        Do not output color text.
          --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
          --ecc                             Specifies use of the ECC cert. Only valid for '--install-cert', '--renew', '--remove ', '--revoke',
                                              '--deploy', '--to-pkcs8', '--to-pkcs12' and '--create-csr'.
          --csr <file>                      Specifies the input csr.
          --pre-hook <command>              Command to be run before obtaining any certificates.
          --post-hook <command>             Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
          --renew-hook <command>            Command to be run after each successfully renewed certificate.
          --deploy-hook <hookname>          The hook file to deploy cert
          --ocsp, --ocsp-must-staple        Generate OCSP-Must-Staple extension.
          --always-force-new-domain-key     Generate new domain key on renewal. Otherwise, the domain key is not changed by default.
          --auto-upgrade [0|1]              Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted.
          --listen-v4                       Force standalone/tls server to listen at ipv4.
          --listen-v6                       Force standalone/tls server to listen at ipv6.
          --openssl-bin <file>              Specifies a custom openssl bin location.
          --use-wget                        Force to use wget, if you have both curl and wget installed.
          --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force use of dns manual mode.
                                              See:  $_DNS_MANUAL_WIKI
          
          -b, --branch <branch>             Only valid for '--upgrade' command, specifies the branch name to upgrade to.
          --notify-level <0|1|2|3>          Set the notification level:  Default value is $NOTIFY_LEVEL_DEFAULT.

If you blanked the exact middle 32 base64 characters of those three lines each**, you leaked approximately 69-77% of your private key*, which still leaves ~60-80 bits of unknown data approximately. Even if we only consider a (fairly naive) baby-step giant-step bruteforce (or alternatively, Pollard's kangaroo), this leaves at most 2^40 computation steps (and this is without even thinking about much faster attacks), so yes, I would consider that key to be 100% broken and disclosed.

*You can calculate this exactly, I only made a rough estimate by looking at entire base64 characters only.
**If you only blanked the middle line, you leaked 100% of the private key. For p256 keys, the first base64line contains the entire key (+ more).

Nevermind, I swapped the numbers in my head. You blanked ~69-77% of the key, not the other way around. The above computation is wrong in that case. Anyway, I would still revoke and replace that key.

Krischu · November 14, 2023, 3:53pm

You say, "acme.sh reuses keypairs on renewal".

Renewal is the process of getting updated certificates.

acme.sh --revoke -d www.mydomain.org -k ec-256

(the priv key in question was the ec-2576 one)

So I'd guess I'm on the safe side?

Nummer378 · November 14, 2023, 4:04pm

Unfortunately acme.sh does not appear to have code to disable the reuse of a private key, even if it was revoked. I believe you can remove the private key + CSR from acme.sh's config directory to force the use of a new key on the next renewal.

(revoke code is here)

Osiris · November 14, 2023, 5:38pm

Luckily Let's Encrypt would refuse to issue a certificate with a key pair if a previous cert with that key pair was revoked with "keyCompromise" as revocation reason. See Revoking Certificates - Let's Encrypt

Not sure how acme.sh works in that regard.

rg305 · November 14, 2023, 7:49pm

So, is there a master revoked key [or key hash] list?

Osiris · November 14, 2023, 7:49pm

Yes.

aarongable · November 15, 2023, 1:38am

Yes

rg305 · November 15, 2023, 2:07am

@aarongable
And it contains revoke information from which CA(s)?

Osiris · November 15, 2023, 6:22am

Let's Encrypt itself.

rg305 · November 15, 2023, 1:46pm

Then the case exists that one can revoke a cert from another CA and continue using that same key with LE?

petercooperjr · November 15, 2023, 2:01pm

Yes, I think so. I don't think CAs are required to consult each other's known-compromised key lists, it's just that if a CA learns about a compromised key they need to revoke it and block from future use.

There are sites like pwnedkeys which try to track known-compromised keys, but I don't think Let's Encrypt (or other CAs) regularly consult those kinds of services. (Those services sometimes will use ACME to revoke certificates if they find one in the wild, though.)

Topic		Replies	Views
Revoking, removing, erasing certs obtained using acme.sh Help	17	4026	December 14, 2023
Lost private key, need to revoke Let’s Encrypt certificate Help	10	753	November 27, 2023
Compromised Key Questions Client dev	3	1323	June 21, 2020
Equivalent to PGP revocation certificates? Help	7	1586	January 13, 2022
Question re: Change in Revocations Methods Issuance Policy	52	3559	January 15, 2022

Priv key compromised?

Related topics