Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > The Community > The Coffee Lounge
Reload this Page Debian’s random number generator problem
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

The Coffee Lounge General chat about anything that goes, a good place to introduce yourself and say hi, tell a Joke, or just relax.

Reply
 
Thread Tools Display Modes
Old 05-14-2008   #1 (permalink)
ls354
Just Joined!
 
ls354's Avatar
 
Join Date: May 2006
Location: Cloud 9
Posts: 92
Debian’s random number generator problem
What SSH/SSL not that safe?, you should probably listen to this episode.

Risky Business

By the way I recommend the podcast.
__________________
Formulate the right question

__________________________________________________ ________
My server runs on Cheese
ls354 is offline   Reply With Quote
Old 05-14-2008   #2 (permalink)
SagaciousKJB
Just Joined!
 
SagaciousKJB's Avatar
 
Join Date: Aug 2007
Location: Yakima, WA
Posts: 94
Send a message via AIM to SagaciousKJB Send a message via MSN to SagaciousKJB
Wow, that's bad...

One thing that wasn't really made clear here, however. Was the problem with SSL/SSH, or was it a problem with whatever Debian uses to generate random numbers? I've been working on an encryption program, and it would be a shame to find out all of the keys I spawned for that were easily crackable too.

Is there any more info. available on where patches are located? Any word on if they're in the general repositories yet?
SagaciousKJB is offline   Reply With Quote
Old 05-14-2008   #3 (permalink)
ls354
Just Joined!
 
ls354's Avatar
 
Join Date: May 2006
Location: Cloud 9
Posts: 92
The problem is not SSL/SSH fault but how Debian generates the keys, it's been patch over night by the way. The problem is that all previously created key are unsafe. I am going to spend all night changing the keys.

From the Ubuntu mailing list
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.

This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all
users to act immediately to secure their systems.

Risky Business is providing a script to re-generate the keys.
__________________
Formulate the right question

__________________________________________________ ________
My server runs on Cheese
ls354 is offline   Reply With Quote
Old 05-14-2008   #4 (permalink)
SagaciousKJB
Just Joined!
 
SagaciousKJB's Avatar
 
Join Date: Aug 2007
Location: Yakima, WA
Posts: 94
Send a message via AIM to SagaciousKJB Send a message via MSN to SagaciousKJB
Quote:
Originally Posted by ls354 View Post
The problem is not SSL/SSH fault but how Debian generates the keys, it's been patch over night by the way. The problem is that all previously created key are unsafe. I am going to spend all night changing the keys.

From the Ubuntu mailing list
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.

This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all
users to act immediately to secure their systems.

Risky Business is providing a script to re-generate the keys.
Yeah, I wish I would have used that script before just deleting my ssh keys. Now I don't remember how to generate them anymore.
SagaciousKJB is offline   Reply With Quote
Old 05-16-2008   #5 (permalink)
carlosponti
Linux Enthusiast
 
carlosponti's Avatar
 
Join Date: Dec 2004
Location: Oklahoma
Posts: 551
Send a message via AIM to carlosponti Send a message via MSN to carlosponti Send a message via Yahoo to carlosponti
__________________
Blog
Registered Linux user 396557
carlosponti is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT. The time now is 10:30 PM.

Contact Us | Advertise | Archive | Top
Powered by vBulletin 3.6.8 ©2000 - 2007, content relevant URLs by vBSEO, Property of Core Root.

Content Relevant URLs by vBSEO 3.0.0