[sf-lug] For all those running Debian or derivatives like Ubuntu

Tom Haddon tom at greenleaftech.net
Tue May 13 12:49:45 PDT 2008


On Tue, 2008-05-13 at 12:44 -0700, Kristian Erik Hermansen wrote:
> Surely the attacker's opportunity would have been during key creation,
> right?  Let's say you have an isolated system not connected to the net
> and you generate an ssl key. You then wipe the box but cntinue using
> the key you generated.   Is your key compromised?
> 

Yes, because the random number generator was weak which means that the
keys aren't as random as they should be. From the Ubuntu advisory: 

"As a result of this weakness, certain encryption keys are much more
common than they should be, such that an attacker could guess the key
through a brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN and
SSL certificates."[1]

http://www.ubuntu.com/usn/usn-612-1

Thanks, Tom



> 
> 
> On 5/13/08, Tom Haddon <tom at greenleaftech.net> wrote:
> > On Tue, 2008-05-13 at 10:47 -0700, Kristian Erik Hermansen wrote:
> > > Some people are probably having an "oh shit" moment.  However, I
> > > presume that the random seed would need to have been captured in
> > > real-time while you were creating your encryption keys?  I haven't
> > > looked into it in depth, but ill keep my ears open for new
> > > developments...interesting
> >
> > Unfortunately not:
> >
> > "Luciano Bello discovered that the random number generator in Debian's
> > openssl package is predictable. This is caused by an incorrect
> > Debian-specific change to the openssl package (CVE-2008-0166). As a
> > result, cryptographic key material may be guessable."
> >
> > In other words, any key created during the time this vulnerability was
> > in place should be replaced.
> >
> > Thanks, Tom
> >
> > >
> > >
> > >
> > > On 5/13/08, Ernest De Leon <edeleonjr at gmail.com> wrote:
> > > >
> > http://www.smbtechadvice.com/2008/05/debian-security-advisory-openssl.html
> > > >
> > > >
> > > > --
> > > > Ernest de Leon
> > > > http://www.smbtechadvice.com
> > > >
> > > > "They who can give up essential liberty to obtain a little temporary
> > safety
> > > > deserve neither liberty nor safety." - A common 18th Century sentiment
> > > > voiced by Benjamin Franklin
> > > >
> > > > "A patriot must always be ready to defend his country against his
> > > > government." - Edward Abbey
> > > >
> > > > "All that is necessary for evil to triumph is for good men to do
> > nothing." -
> > > > Edmund Burke, English statesman and political philosopher (1729-1797)
> > > >
> > >
> >
> >
> 





More information about the sf-lug mailing list