Debian’s random number generator problem

[ls354]

What SSH/SSL not that safe?, you should probably listen to this episode.

Risky Business

By the way I recommend the podcast.

[SagaciousKJB]

Wow, that's bad...

One thing that wasn't really made clear here, however. Was the problem with SSL/SSH, or was it a problem with whatever Debian uses to generate random numbers? I've been working on an encryption program, and it would be a shame to find out all of the keys I spawned for that were easily crackable too.

Is there any more info. available on where patches are located? Any word on if they're in the general repositories yet?

[ls354]

The problem is not SSL/SSH fault but how Debian generates the keys, it's been patch over night by the way. The problem is that all previously created key are unsafe. I am going to spend all night changing the keys.

From the Ubuntu mailing list
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.

This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all
users to act immediately to secure their systems.

Risky Business is providing a script to re-generate the keys.

[SagaciousKJB]

The problem is not SSL/SSH fault but how Debian generates the keys, it's been patch over night by the way. The problem is that all previously created key are unsafe. I am going to spend all night changing the keys.

From the Ubuntu mailing list
A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems. As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system. This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.

This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.

We consider this an extremely serious vulnerability, and urge all
users to act immediately to secure their systems.

Risky Business is providing a script to re-generate the keys.

Yeah, I wish I would have used that script before just deleting my ssh keys. Now I don't remember how to generate them anymore.

[carlosponti]