LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Debian vulnerability has widespread effects

Debian vulnerability has widespread effects

Posted May 15, 2008 1:13 UTC (Thu) by csamuel (✭ supporter ✭, #2624)
Parent article: Debian vulnerability has widespread effects

It is believed that even using a good DSA key from a client with a broken OpenSSL library can compromise the private key due to a DSA specific attack

Additionally, some DSA keys may be compromised by only their use. A strong key (i.e., generated with a 'good' OpenSSL) but used locally on a machine with a 'bad' OpenSSL must be considered to be compromised. This is due to an 'attack' on DSA that allows the secret key to be found if the nonce used in the signature is reused or known.

The Metasploit project has already published an exhaustive list of keys:

This will generate a new OpenSSH 1024-bit DSA key with the value of getpid() always returning the number "1". We now have our first pre-generated SSH key. If we continue this process for all PIDs up to 32,767 and then repeat it for 2048-bit RSA keys, we have covered the valid key ranges for x86 systems running the buggy version of the OpenSSL library. With this key set, we can compromise any user account that has a vulnerable key listed in the authorized_keys file. This key set is also useful for decrypting a previously-captured SSH session, if the SSH server was using a vulnerable host key. Links to the pregenerated key sets for 1024-bit DSA and 2048-bit RSA keys (x86) are provided in the downloads section below.

They also have some tips on how to speed up an attack:

When attempting to guess a key generated at boot time (like a SSH host key), those keys with PID values less than 200 would be the best choices for a brute force. When attacking a user-generated key, we can assume that most of the valid user keys were created with a process ID greater than 500 and less than 10,000. This optimization can significantly speed up a brute force attack on a remote user account over the SSH protocol.

(Log in to post comments)

Debian vulnerability has widespread effects

Posted May 15, 2008 21:15 UTC (Thu) by janfrode (subscriber, #244) [Link] 

Unfortunately this "exhaustive list of keys" doesn't seem to include odd sized keys.. We seem
to have quite a few keys of size 2047 and 1023 bits. 

Hope someone will generate these lists soon too..

Debian vulnerability has widespread effects

Posted May 15, 2008 22:06 UTC (Thu) by janfrode (subscriber, #244) [Link] 

Just got feedback from HD Moore that 1023bits is available on his website now, and 2047bits
will be soon too.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds