Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166

Author	All Replies
Steve I'm a PC, so shut up Consultant join:2001-03-10 Yorba Linda, CA 2 edits	reply to BeesTea Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166 Actually, I think this is waffling on the use of the term "predictable", because in the random-number business it normally means that given one number produced by the RNG, one can compute, guess, or derive another number (the previous or the following number in the series). When this is the case, it means that if I am on the system at the same time you're generating your SSH keys or SSL session, the random number I get will be computationally "close" to the random number you get, so I might be able to figure yours out. My ability to exploit this vaporizes rapidly with the time difference between when I get my number and you get yours increases - it requires contemporaneous access to the same RNG. But in the Debian case, it appears to be a much worse kind of predictable: it instead means that the RNG is pulling from a too-small pool of possible numbers, and though I might not be able to determine the next or prior number in the sequence, the pool of available numbers is small enough that I can attempt to brute-force the RNGs that produced it. I have not studied the particular use of random numbers in SSL or SSH, but this looks yucky: if I know or suspect that your key came from a vulnerable Debian system, I can make a fair run as figuring out the key and can therefore decode your SSL session. And maybe even your SSH private key. I don't need to have access to your server to exploit it. This really smells like bad news. Edit - You could understand this problem as similar to taking a good, valid random number and using only the lower 16 bits instead of whatever the normal size is (though I doubt the actual bug is implemented this way). Steve — who is not an expert on this area, and might be full of baloney
	to forum · permalink · · 2008-05-13 09:57:23 ·
BeesTea Network Janitor Premium,VIP join:2003-03-08 00000	That's the attack as I understand it exactly. Thanks!
	to forum · permalink · · 2008-05-13 10:12:55 ·
deblin Dark Side of the Moon Premium,MVM join:2001-09-01 Middletown, DE	Thanks for the info. Just stumbled upon this. Interesting point, not sure I entirely agree with it. But certainly in this case the author makes a good point. -- »hillaryis404.org/
	to forum · permalink · · 2008-05-13 10:39:05 ·
Cabal Premium join:2007-01-21 Boston, MA	quote: Usually it is bad to have any kind of dependency on uninitialised memory, but OpenSSL happens to include a rare case when its OK, or even a good idea: its randomness pool. Adding uninitialised memory to it can do no harm and might do some good, which is why we do it. I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. -- Interested in open source engine management for your Subaru?
Cabal Premium join:2007-01-21 Boston, MA	to forum · permalink · · 2008-05-13 11:12:03 ·
Steve I'm a PC, so shut up Consultant join:2001-03-10 Yorba Linda, CA	said by Cabal : I know people hate to comment their code, but maybe intentionally using uninitialized memory would be a good opportunity for that sort of thing. Funny you should mention that
	to forum · permalink · · 2008-05-13 11:37:16 ·


Monday, 09-Nov 16:49:12	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF