[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] [Fwd: [SECURITY] [DSA 1571-1] New openssl packages
|
From: |
Jack Lloyd |
|
Subject: |
Re: [Monotone-devel] [Fwd: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator] |
|
Date: |
Fri, 16 May 2008 09:10:16 -0400 |
|
User-agent: |
Mutt/1.5.11 |
On Thu, May 15, 2008 at 04:54:27PM -0700, Nathaniel Smith wrote:
> On Fri, May 16, 2008 at 09:16:28AM +1000, Brian May wrote:
> > Zack Weinberg wrote:
> > > It occurred to me that monotone does have the ability to load signing
> > > keys into ssh-agent, which might have meant they got used with the bad
> > > random number generator; but monotone only uses RSA keys, so as I
> > > understand it that's not a problem.
> > >
> > What matters is how the key is initially generated. So monotone should
> > be OK, even with ssh-agent. However both RSA and DSA keys (ssh, x509,
> > etc) are affected by the above security flaw when the key was generated
> > by the bad library.
>
> Apparently strong DSA keys can also be compromised if they are *used*
> by a broken library, because of how random nonces are used in
> generating DSA signatures. But it doesn't matter, like Zack says.
Yup. If a nonce used in generating a DSA signature is ever revealed
(or is predictable), or if the same nonce is reused to sign more than
one message, the value of the private key is immediately revealed via
simple algebraic manipulation.
I've always assumed this was an intentional design decision on the
part of the NSA, since it makes it really easy to silently backdoor an
implementation. At least, I can't imagine why one would intentionally
design a signature algorithm that reveals the key when the RNG fails,
unless you are planning on making the RNG fail when you want it to.
-Jack