Overclock.net › Forums › Industry News › Software News › [ZDN] Debian and Ubuntu OpenSSL generates useless crypto keys
New Posts  All Forums:Forum Nav:

[ZDN] Debian and Ubuntu OpenSSL generates useless crypto keys

post #1 of 2
Thread Starter 
Quote:
For almost two years the OpenSSL library used by Linux distribution Debian has been generating useless cryptographic keys — although Debian has issued a patch, experts warn that systems may still be exposed.


On Tuesday, the Debian project admitted that security expert Luciano Bello had discovered that an update to Debian's OpenSSL package in 2006 weakened the system's Random Number Generator, making SSH and SSL encryption and authentication — used to secure communications for applications such as Internet banking — useless.

"Because this vulnerability affects the OpenSSL package, which is used for generating various keys including SSH keys, session keys for SSL/TLS connections, OpenVPN and DNSSec keys and others, the implications are quite significant," Nishad Herath, chief executive officer of security consultancy Novologica, told ZDNet.com.au.

The vulnerability primarily affects Debian and Debian-derived systems, such as Ubuntu, according to Metasploit founder, H. D. Moore. However non-Debian systems are also exposed, said Herath.

"Non-Debian systems are also made vulnerable if they were using key material generated on an affected Debian system. To make matters worse, all DSA keys used for signing and authentication purposes on an affected Debian system is also made vulnerable — the Debian official security advisory recommends that such keys be considered compromised," said Herath.

Metasploit's Moore, yesterday told IT Radio's Risky Business that patching won't fix the problem either.

"Patching the vulnerability does not remove the vulnerability — it just prevents it from happening from that point on," he said.

Gabriel Haythornthwaite, information security consultant for Castelain, told ZDNet.com.au this means: "An attacker, who is predicting what a key would have been at the time, can break into a session or can retrospectively gather information from the session."

Novologica's Herath said this is a "spectacular screw up" on the part of the maintainers of the Debian system.

"It is quite commonplace that package maintainers of certain Linux distributions modify the source code of a given package to suit the specificities of a particular distribution. However, these changes are often not submitted to the original developers of the package for scrutiny," he said.

The changes made to the Debian OpenSSL package ... is in my view a spectacular screw up that clearly demonstrates the dangers of this modification process, where changes are not reviewed by the original authors of the package let alone any third-party experts prior to being made available to the public."

The Debian project has published a detector for known weak key material, which also provides instructions for rolling over encryption keys.
http://www.zdnet.com.au/news/securit...9289012,00.htm

------>
post #2 of 2
How does that happen?
    
CPUMotherboardGraphicsRAM
i7 3770k 4.4Ghz Gigabyte P67A-UD4 Asus GTX 780 G.SKILL Ripjaws 4X4GB DDR3-1333 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 4 512GB, 7200.11 1TB Pioneer DVR-212D Win7 x64 Dell U2311H 23" IPS 1080p 
PowerCase
Thermaltake TR2 750w Antec 300 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 3770k 4.4Ghz Gigabyte P67A-UD4 Asus GTX 780 G.SKILL Ripjaws 4X4GB DDR3-1333 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 4 512GB, 7200.11 1TB Pioneer DVR-212D Win7 x64 Dell U2311H 23" IPS 1080p 
PowerCase
Thermaltake TR2 750w Antec 300 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [ZDN] Debian and Ubuntu OpenSSL generates useless crypto keys