[sf-lug] For all those running Debian or derivatives like Ubuntu

Tue May 13 14:24:13 PDT 2008

Exactly...I don't think this is an issue of compromise during generation so
much as by a brute force attack.

E

On Tue, May 13, 2008 at 12:49 PM, Tom Haddon <tom at greenleaftech.net> wrote:

> On Tue, 2008-05-13 at 12:44 -0700, Kristian Erik Hermansen wrote:
> > Surely the attacker's opportunity would have been during key creation,
> > right?  Let's say you have an isolated system not connected to the net
> > and you generate an ssl key. You then wipe the box but cntinue using
> > the key you generated.   Is your key compromised?
> >
>
> Yes, because the random number generator was weak which means that the
> keys aren't as random as they should be. From the Ubuntu advisory:
>
> "As a result of this weakness, certain encryption keys are much more
> common than they should be, such that an attacker could guess the key
> through a brute-force attack given minimal knowledge of the system. This
> particularly affects the use of encryption keys in OpenSSH, OpenVPN and
> SSL certificates."[1]
>
> http://www.ubuntu.com/usn/usn-612-1
>
> Thanks, Tom
>
>
>
> >
> >
> > On 5/13/08, Tom Haddon <tom at greenleaftech.net> wrote:
> > > On Tue, 2008-05-13 at 10:47 -0700, Kristian Erik Hermansen wrote:
> > > > Some people are probably having an "oh shit" moment.  However, I
> > > > presume that the random seed would need to have been captured in
> > > > real-time while you were creating your encryption keys?  I haven't
> > > > looked into it in depth, but ill keep my ears open for new
> > > > developments...interesting
> > >
> > > Unfortunately not:
> > >
> > > "Luciano Bello discovered that the random number generator in Debian's
> > > openssl package is predictable. This is caused by an incorrect
> > > Debian-specific change to the openssl package (CVE-2008-0166). As a
> > > result, cryptographic key material may be guessable."
> > >
> > > In other words, any key created during the time this vulnerability was
> > > in place should be replaced.
> > >
> > > Thanks, Tom
> > >
> > > >
> > > >
> > > >
> > > > On 5/13/08, Ernest De Leon <edeleonjr at gmail.com> wrote:
> > > > >
> > >
> http://www.smbtechadvice.com/2008/05/debian-security-advisory-openssl.html
> > > > >
> > > > >
> > > > > --
> > > > > Ernest de Leon
> > > > > http://www.smbtechadvice.com
> > > > >
> > > > > "They who can give up essential liberty to obtain a little
> temporary
> > > safety
> > > > > deserve neither liberty nor safety." - A common 18th Century
> sentiment
> > > > > voiced by Benjamin Franklin
> > > > >
> > > > > "A patriot must always be ready to defend his country against his
> > > > > government." - Edward Abbey
> > > > >
> > > > > "All that is necessary for evil to triumph is for good men to do
> > > nothing." -
> > > > > Edmund Burke, English statesman and political philosopher
> (1729-1797)
> > > > >
> > > >
> > >
> > >
> >
>
>

-- 
Ernest de Leon
http://www.smbtechadvice.com

"They who can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety." - A common 18th Century sentiment
voiced by Benjamin Franklin

"A patriot must always be ready to defend his country against his
government." - Edward Abbey

"All that is necessary for evil to triumph is for good men to do nothing." -
Edmund Burke, English statesman and political philosopher (1729-1797)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20080513/f27c7757/attachment.html>