[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Low Entropy key generation revisited



There are currently two result being published on RSA keys 
found in the wild. As the problem of low-entropy 
(e.g. initial boot) situations has been discussed here,
I thought somebody may be interested in this.

Bottom line is that OpenSSL key-generation can produce
weak RSA keys with non-negliable probability when doing the
key-generation in an entropy-starved situation and that 
devices with these weak keys can be found and attacked 
efficiently. This does require gathering a lot (ideally
all) RSA keys in use.

Fix is to use better entropy-gathering, even if it takes 
time. Also, non-RSA keys are not affected by this specific 
attack (but their security does still suffer when they
are generated incorrectly in an entripoy-starved situation).

Note that LUKS is not affected by this new attack as it 
does not use RSA keys. For the effects of a low-entropy
situation on LUKS, see the mailing list archives. Plain 
dm-crypt is not affected by entropy-gathering at all.

Arno

----

References:
1. Good short explanation on freedom-to-tinker by research 
   group 2 (read this first):
   https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs  

2. Paper by research group 1:
   http://eprint.iacr.org/2012/064

3. Original and followup Slashdot articles:
   http://it.slashdot.org/story/12/02/14/2322213/998-security-for-real-world-public-keys
   http://it.slashdot.org/story/12/02/15/1540212/factorable-keys-twice-as-many-but-half-as-bad

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt


[DM Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

Add to Google Powered by Linux