[sf-lug] For all those running Debian or derivatives like Ubuntu

Kristian Erik Hermansen kristian.hermansen at gmail.com
Tue May 13 12:44:09 PDT 2008


Surely the attacker's opportunity would have been during key creation,
right?  Let's say you have an isolated system not connected to the net
and you generate an ssl key. You then wipe the box but cntinue using
the key you generated.   Is your key compromised?



On 5/13/08, Tom Haddon <tom at greenleaftech.net> wrote:
> On Tue, 2008-05-13 at 10:47 -0700, Kristian Erik Hermansen wrote:
> > Some people are probably having an "oh shit" moment.  However, I
> > presume that the random seed would need to have been captured in
> > real-time while you were creating your encryption keys?  I haven't
> > looked into it in depth, but ill keep my ears open for new
> > developments...interesting
>
> Unfortunately not:
>
> "Luciano Bello discovered that the random number generator in Debian's
> openssl package is predictable. This is caused by an incorrect
> Debian-specific change to the openssl package (CVE-2008-0166). As a
> result, cryptographic key material may be guessable."
>
> In other words, any key created during the time this vulnerability was
> in place should be replaced.
>
> Thanks, Tom
>
> >
> >
> >
> > On 5/13/08, Ernest De Leon <edeleonjr at gmail.com> wrote:
> > >
> http://www.smbtechadvice.com/2008/05/debian-security-advisory-openssl.html
> > >
> > >
> > > --
> > > Ernest de Leon
> > > http://www.smbtechadvice.com
> > >
> > > "They who can give up essential liberty to obtain a little temporary
> safety
> > > deserve neither liberty nor safety." - A common 18th Century sentiment
> > > voiced by Benjamin Franklin
> > >
> > > "A patriot must always be ready to defend his country against his
> > > government." - Edward Abbey
> > >
> > > "All that is necessary for evil to triumph is for good men to do
> nothing." -
> > > Edmund Burke, English statesman and political philosopher (1729-1797)
> > >
> >
>
>

-- 
Sent from Gmail for mobile | mobile.google.com

Kristian Erik Hermansen
--
"When you share your joys you double them; when you share your sorrows
you halve them."




More information about the sf-lug mailing list