|
|
Log in / Subscribe / Register

Cryptographic weakness on Debian systems

[Posted May 13, 2008 by corbet]

The Debian project has sent out an advisory stating that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. "It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised." The project has disabled public key logins on its internal infrastructure in response.
to post comments

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:01 UTC (Tue) by rvfh (guest, #31018) [Link] (6 responses) 

What about the Debian derivatives, and their derivatives?

Knoppix, *Ubuntu, what else? MEPIS?

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:04 UTC (Tue) by noahm (subscriber, #40155) [Link] (5 responses) 

Yes, all Debian-derived systems are also vulnerable.  Debian has coordinated with Ubuntu and
other distros on the details of the bug.  If they haven't already fixed it, expect the
derivatives to release updates soon.

noah

Cryptographic weakness on Debian systems

Posted May 13, 2008 19:48 UTC (Tue) by KingKevbo (guest, #10975) [Link] (4 responses) 

I'm not seeing any updates to SSH packages in Debian yet. (I've already applied SSH updates to
my Ubuntu desktop.)  Are they still working on the packages for Debian?

Cryptographic weakness on Debian systems

Posted May 13, 2008 19:52 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses) 

The update is to libssl, not openssh, and it's hit testing.

Cryptographic weakness on Debian systems

Posted May 14, 2008 0:42 UTC (Wed) by nix (subscriber, #2304) [Link] 

Oops, sorry, there *is* an openssh update as well, in ubuntu at least.

Cryptographic weakness on Debian systems

Posted May 13, 2008 22:02 UTC (Tue) by maxb (guest, #52055) [Link] (1 responses) 

The updated SSH packages in Ubuntu were derived from updates in Debian, but Ubuntu has
published them as a security update, whereas the Debian packages are currently sitting in
incoming.

Cryptographic weakness on Debian systems

Posted May 14, 2008 0:14 UTC (Wed) by cjwatson (subscriber, #7322) [Link] 

I worked on the openssh side of the update for both Debian and Ubuntu (largely on Canonical
time, but dealing with openssh in Debian as well). Unfortunately I only managed to get the
openssh update into the upload queue after the Debian system administration team locked down
SSH access in various places, which it transpired also knocked out the ability to publish
further updates for a while ... with any luck this will be sorted out soon.

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:14 UTC (Tue) by nelljerram (subscriber, #12005) [Link] (8 responses) 

How do we know that these latest announcements have really come from Debian?

(I'm asking out of genuine ignorance, and I expect that that is probably a very dumb question,
and that there's a simple answer.  But consider, with --paranoia=max, what would you do if you
wanted to attack a massive organization like Debian?  Forge some emails, claiming that all of
the keys with which DDs are familiar (recognizing fingerprints and such like) are now
invalid...?)

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:33 UTC (Tue) by bcl (subscriber, #17631) [Link] (7 responses) 

Because the announcements are GPG signed. 

http://lists.debian.org/debian-security-announce/2008/msg...

gpg: Signature made Tue May 13 05:03:24 2008 PDT using RSA key ID 02D524BE
gpg: Good signature from "Florian Weimer (HIGH SECURITY KEY) <fw@deneb.enyo.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C8D3 D9CF FA9E 7056 3F32  FA54 BF7B FF04 02D5 24BE

If you don't have the key, you can import it like this:

gpg --keyserver pgpkeys.mit.edu --recv-key <keyid>

Since there is no web of trust between me and the owner of this key there is still no way to
guarantee that it really belongs to Florian Weimer other than checking it against other posts
to the list.

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:39 UTC (Tue) by elanthis (guest, #6227) [Link] (6 responses) 

"How do we trust this announcement about weak keys is real?"

"We look at the keys they used in the annou... shit."

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:44 UTC (Tue) by maks (guest, #32426) [Link] (3 responses) 

read the announcement gpg is not affected.

openssl is bad enough!

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:43 UTC (Tue) by nelljerram (subscriber, #12005) [Link] 

Thanks everyone for your answers.  I see now that GPG keys are in a separate space from the
ssh keys, and unaffected.

Cryptographic weakness on Debian systems

Posted May 13, 2008 21:03 UTC (Tue) by lab (guest, #51153) [Link] (1 responses) 

Hmmm.. Can I just ask a stupid question - how come the OpenSSH package in Ubuntu is affected,
but not in Debian?

http://www.ubuntu.com/usn/usn-612-2

"A weakness has been discovered in the random number generator used by OpenSSL on Debian and
Ubuntu systems. As a result of this weakness, certain encryption keys are much more common
than they should be, such that an attacker could guess the key through a brute-force attack
given minimal knowledge of the system. This particularly affects the use of encryption keys in
OpenSSH."

Cryptographic weakness on Debian systems

Posted May 14, 2008 0:16 UTC (Wed) by cjwatson (subscriber, #7322) [Link] 

It's affected in exactly the same sense (i.e. only as collateral damage) in Debian too;
unfortunately problems due to the advisory itself have made it difficult to publish an OpenSSH
update in Debian, but it should be on its way soon.

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:49 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses) 

Even if those keys were compromised, that's OK. If the announcement is 
legitimate, then the fact that the keys are compromised is not 
problematic, because it was actually signed with the secret key. If it's 
*not* legitimate, and has been signed by a forger, then... why on earth 
would they tell us that the keys were weak, destroying their own strong 
point? (And if the message is forged and the sender is lying, being a 
nasty forger and all, well, er, a forger telling us that the keys are weak 
when they're actually *strong* seems really rather implausible.)

I'd worry much more about an announcement coming out of the blue saying 
`hey, our keys are OK, keep using them!' because that *is* an announcement 
that an attacker who'd nicked the keys might want to give out (if he 
wanted to make people like me suspicious, anyway).

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:48 UTC (Tue) by man_ls (guest, #15091) [Link]

Maybe the keys are good, but the attacker wants to make you think you have to get new keys -- which he will somehow forge and supply to you. In this case you should scrutinize the ways to "sanitize" your supposedly bad keys. An example: (s)he has discovered a weak point in GPG keys, so a method to generate "good" SSL keys from "safe" GPG keys is really a way to generate "compromised" SSL keys from "unsafe" GPG keys.

It is a modern-day version of the old ploy where a fake detective comes and says: "here, your house is bugged, let me sanitize it for you", thus gaining your confidence and at the same time getting an excellent chance to install his own spying devices. You should watch him like a hawk.

On second thought, even if you follow the guy he may be clever enough to deploy spying devices even if you are watching him all the time. Or in our case: the GPG vulnerability may be subtle enough that it is hard to catch the attacker. I hope some really clever people are watching this story unfold.

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:20 UTC (Tue) by bcl (subscriber, #17631) [Link] (18 responses) 

I am wondering if this is as serious as everyone is making it out to be. Or if there is more
to it that hasn't been disclosed yet? 

According to the announcement
(http://lists.debian.org/debian-security-announce/2008/msg...) it is being called a
'predictable random number generator' problem but according to the details what they did was
disabled including uninitialized memory in the RNG pool. Since uninitialized memory may or may
not be very useful as a source of additional entropy I don't see a direct connection to that
making the RNG output predictable.

Now, if they disabled adding any other source to the pool, then yes that could lead to
predictability. But leaving out one source of many (I assume) shouldn't compromise the RNG
unless something else is wrong with their code.

Does anyone have a link to the patch that fixes this?

Cryptographic weakness on Debian systems

Posted May 13, 2008 14:55 UTC (Tue) by pharm (guest, #22305) [Link] (15 responses)

The patch just comments out the non-zeroing of the relevant buffers if I understand it correctly: 
$ diff -r -C5  openssl-0.9.8c-etch1/crypto/rand/md_rand.c openssl-0.9.8c-
etch3/crypto/rand/md_rand.c
*** openssl-0.9.8c-etch1/crypto/rand/md_rand.c	Tue May 13 15:50:57 2008
--- openssl-0.9.8c-etch3/crypto/rand/md_rand.c	Tue May 13 15:51:05 2008
***************
*** 269,282 ****
  			MD_Update(&m,&(state[0]),k);
  			}
  		else
  			MD_Update(&m,&(state[st_idx]),j);
  			
- /*		
-  * Don't add uninitialised data.
  		MD_Update(&m,buf,j);
- */
  		MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
  		MD_Final(&m,local_md);
  		md_c[1]++;
  
  		buf=(const char *)buf + j;
--- 269,279 ----
It does seem a little weird: if that was the only source of randomness, then it's not a very good source & needs fixing! On the other hand if it was just one source of randomness, then it shouldn't be that big a deal. Anyone on the "inside" able to comment?

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:09 UTC (Tue) by jwb (guest, #15467) [Link] (5 responses) 

Is it just me, or did the "fix" only back out the change in one of two places?  See the patch
which caused the problem:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/r...

The offending change is in two places.  Now see the "fix":

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/c...

The patch is only half undone.  Oversight?

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:17 UTC (Tue) by hmh (subscriber, #3838) [Link] (1 responses) 

I suggest studying the utility mentioned in the advisory that verifies whether a key is weak
or not.  That goes directly to the effect of whatever bug is in question (which is what
matters, here).

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:59 UTC (Tue) by hmh (subscriber, #3838) [Link] 

The key vulnerability check basically hashes the key and searches for it in a blacklist of
256Ki entries.  The code says that blacklist is not known to be the complete set of weak keys,
it could be just a subset.

Further comments of that really means depend on studying the OpenSSL code at depth, which I
hope someone will disclose soon.

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:17 UTC (Tue) by jond (subscriber, #37669) [Link] (1 responses) 

Only if PURIFY is defined. I'm not sure in which situations that happens, but I think it's
valgrind-related. So the binary packages being distributed are fine.

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:50 UTC (Tue) by lambda (subscriber, #40735) [Link]

Only if PURIFY is not defined. That line was being excluded from PURIFY because it was causing warnings about uninitialized data.

Cryptographic weakness on Debian systems

Posted May 13, 2008 16:22 UTC (Tue) by IkeTo (subscriber, #2122) [Link] 

> The patch is only half undone.  Oversight?

Unlikely.  The original intent is quite defensible: if some data is not initialized, you don't
know whether it is coming from some attacker, so you shouldn't use it as part of the random
number to generate your key.  I expect that is the part that is left alone, in the function
ssleay_rand_bytes.  The "#ifndef PURIFY" macro probably is there because some tools detects
that it is using uninitialized data, and would die or produce other ugly result if the code is
allowed to run.

But the patch change another function ssleay_rand_add as well.  I'm wondering whether the buf
being passed in is actually the data that it want to add to the random pool.  If so, the
original removal of line 274 probably drops nearly all randomness that the random number
generator can ever obtain.

Cryptographic weakness on Debian systems

Posted May 13, 2008 16:38 UTC (Tue) by IkeTo (subscriber, #2122) [Link] (8 responses) 

> It does seem a little weird: if that was the only source of randomness,
> then it's not a very good source & needs fixing!

Only if that part is really to "add uninitialised data"!  Note that the comment is added by
the original Debian patch, not in the original SSL library.  The "buf" argument is actually
passed by a call to the "add" function of the rand_meth_st interface, the interface defining
how to collect random data for various pluggable methods.  My thinking is that it might
actually not be uninitialized data at all, but is instead the content handed over by a part of
the interface for SSL random number pool that actually accept random data and add them to the
pool, i.e., most of the "real" randomness available.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:01 UTC (Tue) by pharm (guest, #22305) [Link] (4 responses)

My thinking is that it might actually not be uninitialized data at all, but is instead the content handed over by a part of the interface for SSL random number pool that actually accept random data and add them to the pool, i.e., most of the "real" randomness available.

Which makes perfect sense, except that I don't understand why purify & valgrind would complain about it in that case. Oh well. No doubt all will become clear eventually & I don't have time to chase down the logic right now...

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:19 UTC (Tue) by welinder (guest, #4699) [Link] (3 responses) 

Purify/Valgrind will complain if you read more than the
initialized part.

Still, whoever took out the entire initialization should
not be trusted with security intensive code.

Cryptographic weakness on Debian systems

Posted May 14, 2008 12:42 UTC (Wed) by dion (guest, #2764) [Link] (2 responses) 

That would be Kurt Roeckx:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/r...
http://alioth.debian.org/users/kroeckx/

Cryptographic weakness on Debian systems

Posted May 14, 2008 13:01 UTC (Wed) by DeletedUser32991 ((unknown), #32991) [Link] (1 responses)

Kurt did ask about it on the upstream list, too.

Cryptographic weakness on Debian systems

Posted May 14, 2008 18:55 UTC (Wed) by dion (guest, #2764) [Link] 

Yes, that should ward off the tar+feathers.

When even openssl developers can't tell that the change is catastrophic then he might be
excused.

This does illustrate why blindly fixing warnings is a dangerous and bad idea, though.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:12 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (2 responses) 

It looks like someone found a screw sticking out, and having a hammer handy, decided to bash
it flat. As you'd expect in security software, the result was disastrous.

Something, somewhere, calls this function with potentially uninitialised data (or perhaps, a
dodgy piece of analysis software only thinks it is unintialised because it can't find the
initialiser). Maybe it's actually a test routine. Maybe it's one uninitialised byte caused by
an off-by-one error somewhere. Either way it's irrelevant to this function. Rather than find
and fix that minor mistake, someone with Debian checkin privileges "fixed" it by removing
critical code from this function, silencing the warning and disabling Debian's security.

I guess the Debian Security people will need to re-assess who gets to modify critical packages
like this. It's one thing to trust that someone isn't going to deliberately sabotage a package
(they could just as easily add malware to GNOME Games as to OpenSSL) and quite another to
trust that they know what they're doing modifying complicated software like this to try to
"fix" security problems.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:35 UTC (Tue) by IkeTo (subscriber, #2122) [Link] 

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 if you wanna see the process that
creates the bug.

Cryptographic weakness on Debian systems

Posted May 13, 2008 22:10 UTC (Tue) by philh (subscriber, #14797) [Link]

... quite another to trust that they know what they're doing modifying complicated software like this to try to "fix" security problems.

Well, that would be fair comment if Kurt Roeckx (one of the Debian openssl maintainers) had taken it upon himself to make this change in isolation, but as you can see from this thread, the patch was mentioned to the openssl-dev list, without provoking negative comment, so it's difficult to know who one should be pointing fingers at.

Mistakes happen -- looking for someone to blame isn't overly productive at the best of times, and when it is based on false premises, not at all.

Cryptographic weakness on Debian systems

Posted May 13, 2008 15:50 UTC (Tue) by IkeTo (subscriber, #2122) [Link] (1 responses) 

It doesn't seem to be as simple.  If a program can catch vulnerable keys, it is probably a
very serious issue.  From one of the comments in http://www.dslreports.com/forum/r204743,
apparently the intent of not using uninitialized data for random number pool is good, but the
code is wrong enough that trim down seriously the amount of possible random numbers being
used, making it rather easy to get through.  So if you do have something using Debian, go
regenerate all SSH and Apache-SSL keys that are originally generated by these systems, quick.

Cryptographic weakness on Debian systems

Posted May 13, 2008 16:27 UTC (Tue) by IkeTo (subscriber, #2122) [Link] 

Somehow the URL in my message is chopped...  Here's the correct one.

http://www.dslreports.com/forum/r20474302-Heads-Up-Debian...

Cryptographic weakness on Debian systems

Posted May 13, 2008 16:06 UTC (Tue) by emk (subscriber, #1128) [Link] (9 responses)

To allow ssh access only from TRUSTED_IP, the following might work, at least on systems with no current firewall ruleset:

iptables -A INPUT -s '!' $TRUSTED_IP -p tcp --dport 22 -j DROP

If this is wrong, please correct me!

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:07 UTC (Tue) by jwb (guest, #15467) [Link] (8 responses) 

hosts.allow would be better, and stays constant across reboots.

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:14 UTC (Tue) by emk (subscriber, #1128) [Link] (7 responses) 

Fair enough. :-) I just needed a short-term fix while reading the advisories, and thought I'd
share it.

I'm relatively impressed by the Ubuntu patch, with its built-in blacklist and support for
regenerating host keys. (Time will tell if this code actually works.)

The Debian patch? Not so much. I'm still waiting to see how long it takes for anything other
than a placeholder to appear here:

http://www.debian.org/security/key-rollover/

Cryptographic weakness on Debian systems

Posted May 13, 2008 22:10 UTC (Tue) by maxb (guest, #52055) [Link] (6 responses) 

The SSH package update in Ubuntu is taken straight from Debian. However, whilst Ubuntu have
published it as a security update, Debian have not (yet?). The package is currently in
incoming.

Cryptographic weakness on Debian systems

Posted May 14, 2008 0:29 UTC (Wed) by cjwatson (subscriber, #7322) [Link] (5 responses) 

It would be more accurate to say that the SSH patch was contributed to Debian by Ubuntu, and
due to advisory timing issues happened to be released to Ubuntu first. (Canonical sponsored my
work on said patch, and had no problem with me doing some rapid hat-switching and using that
work for Debian openssh as well, since I'm also its primary maintainer.)

Cryptographic weakness on Debian systems

Posted May 14, 2008 1:23 UTC (Wed) by emk (subscriber, #1128) [Link] 

Well, many thanks for such a useful patch! I'm glad to hear it will soon be available for
Debian as well.

Cryptographic weakness on Debian systems

Posted May 14, 2008 10:54 UTC (Wed) by mbizon (subscriber, #37138) [Link] (3 responses) 

I have quite a lot of keys for which ssh-vulnkey has no blacklist information. Mainly 1024
bits RSA, and 4096 bits of both kind.

The README.compromised-keys does not give any hint about how these blacklist files where
generated.

Do you plan to release the tool to help generate them for any keysize, or to have more
pre-generated files included in openssh-blacklist ?

Cryptographic weakness on Debian systems

Posted May 14, 2008 11:15 UTC (Wed) by cjwatson (subscriber, #7322) [Link] (2 responses) 

At present I don't think it's wise to release what essentially amounts to exploit code. For
keys that aren't in the blacklist about which you aren't sure, I recommend looking at the
timestamp information (RSA keys generated before 17 Sep 2006, when the bug was introduced,
aren't vulnerable), but otherwise regenerate the key in case of doubt.

Cryptographic weakness on Debian systems

Posted May 15, 2008 10:53 UTC (Thu) by endecotp (guest, #36428) [Link] (1 responses) 

The complete set of vulnerable keys has now been published.

Cryptographic weakness on Debian systems

Posted May 17, 2008 7:50 UTC (Sat) by markshuttle (guest, #22379) [Link] 

I doubt that. The complete set would include all possible key sizes, For DSA that's fixed at
1024 bits, for RSA it's open-ended, though anybody with more than 4096 bits is being very
conservative ;-). We had a 16k-bit key at Thawte, but it blew up most crypto libraries and
toolkits at the time, so we didn't use it much.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:13 UTC (Tue) by MisterIO (guest, #36192) [Link] (19 responses) 

What was the reason for the Debian-specific modification in the first place?

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:43 UTC (Tue) by cortana (subscriber, #24596) [Link] (1 responses) 

The relevant changelog entry can be found at
<http://packages.debian.org/changelogs/pool/main/o/openssl...>.  It is:

   * Move the modified rand/md_rand.c file to the right place,
     really fixing #363516.

This is a fix for the bug at <http://bugs.debian.org/363516>.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:47 UTC (Tue) by cortana (subscriber, #24596) [Link] 

And the rationale for the change can be found in the thread at
<http://marc.info/?t=114651088900003&r=1&w=2>.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:57 UTC (Tue) by noahm (subscriber, #40155) [Link] (16 responses) 

http://bugs.debian.org/363516

Basically, openssl was feeding uninitialized memory to the random number generator as seed
data, and this was generating warnings in valgrind and other memory checkers.  This was
disabled, which silenced valgrind.  Unfortunately, it also served to deplete the amount of
entropy available to the RNG.  Of course, the question that others have raised is awfully
interesting: Is there really that much entropy in uninitialized memory to begin with?

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:20 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (13 responses) 

It's interesting, looks like there's plenty of embarassment to go round.

This function does not just take arbitrary "uninitialized memory" and feed it into the entropy
pool. That would be stupid. It takes a parameter, which is supposed to be an array of entropy
bytes to put into the pool.

I haven't analysed the code enough to see whether the Valgrind reports are triggered by this
function going off the end of the provided buffer, or by the buffer providers (elsewhere in
OpenSSL code) not fully initialising their buffers, or even by a subtle false alarm (Valgrind
is good but it's not perfect, not yet).

In any case, with the patch removing this vital line of code, more or less none of the
intended entropy ends up being used. Entropy from /dev/random, from hardware RNG sources, and
so on, is discarded silently by Debian's patch AFAICT. Hence the list of millions of possible
"bogus" keys which can be generated from the little remaining entropy.

What's fascinating is that when Debian reported this terrible goof today some OpenSSL people
said if they'd come forward with this patch two years ago the OpenSSL developers would have
laughed at the obviously wrong fix... But it seems that Debian people did go to the OpenSSL
developers two years ago, and they got told more or less that if it shuts up Valgrind then
it's fine.

Now in parallel to proposing this goofy patch, someone proposed to Debian a fix which simply
writes zeroes to an uninitialised buffer elsewhere in OpenSSL. This patch seems to have been
rejected by Debian for unclear reasons, but an equivalent change has been included in newer
versions of OpenSSL and from there integrated back into Debian. It is probably one of several
such fixes which should have taken place instead of this silly one line patch that disables
the RNG more or less altogether.

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:42 UTC (Tue) by mbanck (subscriber, #9035) [Link] (9 responses)

But it seems that Debian people did go to the OpenSSL developers two years ago, and they got told more or less that if it shuts up Valgrind then it's fine.

That's interesting, do you have a link/citation for that?

Michael

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:45 UTC (Tue) by jamessan (subscriber, #12612) [Link] 

http://marc.info/?t=114651088900003&r=1&w=2 is the thread on openssl-dev

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:45 UTC (Tue) by mbanck (subscriber, #9035) [Link] 

Probably this one, replying to the Debian openssl maintainer:

http://marc.info/?l=openssl-dev&m=114652287210110&...

Michael

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:51 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (6 responses) 

Here's a smoking gun OpenSSL developer mailing list thread. Already linked above actually...

http://marc.info/?t=114651088900003&r=1&w=2

I don't know if anyone in that conversation "represents" OpenSSL in some sense, but there was
plenty of opportunity for anyone, even an interested bystander to interject "that is a
terrible idea" and no-one did.

Cryptographic weakness on Debian systems

Posted May 13, 2008 19:50 UTC (Tue) by nix (subscriber, #2304) [Link] (5 responses) 

Apparently that's a list for people developing apps *with* openssl, and 
the openssl devs don't all read it.

(If so, well done openssl: not only is your code an uncommented 
stylistically awful dog's dinner, your mailing lists also have 
ridiculously misleading names. There's a reason I encourage GnuTLS use 
over OpenSSL wherever possible, and it's not the license...)

Cryptographic weakness on Debian systems

Posted May 13, 2008 19:57 UTC (Tue) by jake (editor, #205) [Link] (4 responses)

> Apparently that's a list for people developing apps *with* openssl, and the openssl devs don't all read it.

That's what Ben Laurie said, but the web page for OpenSSL support says different:

Discussions on development of the OpenSSL library. Not for application development questions!

So it would seem like a reasonable place to ask questions of that nature.

jake

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:16 UTC (Tue) by dark (guest, #8483) [Link] (3 responses) 

The README distributed with openssl also says to submit patches to 
openssl-dev. And the FAQ on openssl.org ("How can I contact the OpenSSL 
developers?") says to look in the README.

Cryptographic weakness on Debian systems

Posted May 14, 2008 0:42 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses) 

OK, I'll go and be quiet in the corner for not fact-checking before 
burbling. Apologies.

Cryptographic weakness on Debian systems

Posted May 14, 2008 23:54 UTC (Wed) by cortana (subscriber, #24596) [Link] 

Well, don't feel so bad. The OpenSSL developers also didn't bother fact-checking either. ;)

Cryptographic weakness on Debian systems

Posted May 15, 2008 4:20 UTC (Thu) by ajf (guest, #10844) [Link] 

If a member of the OpenSSL team got it wrong, you can hardly blame yourself for believing him.

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:42 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (2 responses) 

Let me offer a thought experiment that helps to show what's going on here, so far as I can
figure it out (and it's a bad sign that Debian's bug for this never gets anywhere near this
level of analysis)

Suppose I write a function int average(char *values, int count)

it takes 'count' bytes from the array pointed at by 'values' and is supposed to return an
arithmetic average, the mean value.

{
  /* for simplicity let's not worry about overflow right now */
  int total = 0;
  for (int k = 0; k < count; ++k) {
    total += values[k];
  }
  return total / count;
}

If you declare an array of 16 bytes, and pass it to me with the count of 16, then I will
return the average of those 16 bytes. Suppose you screw up, with an off-by-one error, and only
fill out 15 bytes, but still set the count parameter to 16, the size of your array. My
function will still work, it won't ever crash, and the result will be almost correct, since
whatever the value of the 16th byte, it will be dwarfed by the other 15 values in calculating
an average.

Now, when you run valgrind over the resulting program, it will report that my average()
function is faulty, it accesses an unintialised value.

Apparently at this point the Debian developers would say "Aha, stupid average function, we'll
soon fix that" and comment out the line total += values[k]; which is of course completely the
wrong fix.

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:02 UTC (Tue) by bcl (subscriber, #17631) [Link] (1 responses) 

That's a pretty good analogy. It isn't too obvious from just looking at the diff, but once you
see the context you realize that they effectivly gutted ssleay_rand_bytes() and
ssleay_rand_add(), and apparently the fix only fixes one of those? So it looks like there is
still a problem.

Cryptographic weakness on Debian systems

Posted May 13, 2008 21:15 UTC (Tue) by lambda (subscriber, #40735) [Link]

No, ssleay_rand_bytes is supposed to be returning a random number generated from the current state of the random number generator. It happened to be mixing in some entropy from the (uninitialized) output buffer passed in, which is not particularly helpful nor harmful, other than messing with Valgrind. It's only in the ssleay_rand_add function that commenting out the line causes any particular problems, because the whole point of ssleay_rand_add is to seed the random number generator.

You can check the documentation in man RAND_bytes and man RAND_add for more information on how these are supposed to work.

Cryptographic weakness on Debian systems

Posted May 14, 2008 8:16 UTC (Wed) by Ross (guest, #4065) [Link] 

The level of entropy would be essentially zero. Memory starts out as zeroed at process
creation time.  It may end up being recycled internally to the same process, but that would be
very predictable.

I suppose you could have some situation like:

 x = malloc(10);
 memcpy(x, randsrc, 10);
 free(x);
 y = malloc(10); /* we just happen to get the same memory */

could cause the situation as described, but that would be a horrible bug -- there is no
guarantee that y wouldn't be all zeros anyway.

I don't think that's what happened here though.

From other comments I think it may be the case that the zeroed buffer contained real entropy,
but possibly not filling the whole thing, thus reading it causes reads of uninitialized bytes.
It could also be that the entropy in the buffer was generated using an uninitialized variable
somewhere (any result of a calculation with uninitialized values must be treated as if it
results in uninitialized values).

I look forward to someone doing a more in-depth inspection of this code -- it should be made
clear exactly how the entropy is gathered and passed around, and there should be no
uninitialized values stored or read from the buffer.  Adding initializations at random points
in the code is not the way to write secure software.

Cryptographic weakness on Debian systems

Posted May 15, 2008 2:22 UTC (Thu) by Ross (guest, #4065) [Link] 

I don't think it was completely uninitialized.
If it is, then it was a really bad idea, as there should be no expectation that it have any
useful entropy any more than you should expect it to be filled with zeros.

Plus, a C program which does that is buggy -- you can't read memory you haven't initialized.
Sure it mostly worked, but it is still a bug.

(Not that any of that excuses the "fix" applied.)

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:18 UTC (Tue) by bronson (subscriber, #4806) [Link] (19 responses) 

Ben Laurie has a great post on it here: http://www.links.org/?p=327

He does lay it on a bit thick though...  Uninitialized data is not random.  Using it the way
OpenSSL does just seems silly.

This is completely Debian's fault of course, but it would not have happened if OpenSSL didn't
leave its bizarro code obscure and undocumented.

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:55 UTC (Tue) by oak (guest, #2786) [Link] (1 responses) 

> Uninitialized data is not random.

If it indeed comes from the "uninitialized" (non-written) part of heap or 
stack, kernel has handily zeroed it for you...

Cryptographic weakness on Debian systems

Posted May 14, 2008 10:52 UTC (Wed) by IkeTo (subscriber, #2122) [Link] 

> If it indeed comes from the "uninitialized" (non-written) part of heap or
> stack, kernel has handily zeroed it for you...

I've learnt from a winning entry of the underhanded C contest that "uninitialized" stack can
contain interesting data, i.e., stack frames of previous calls.  The same can be said about
heap space, as long as someone used the free() function some time ago, and the heap space is
reused from there.  The data is not necessarily constant, since the data stored might reflect
the environment, e.g., it might contain the stat buffer so it contains data like the last
access time of files.  Or somebody called time() and put the result in the stack or heap, used
it and later free, and the space end up being reused.  Of course, all these does not seem like
a good source of untainted randomness.

Cryptographic weakness on Debian systems

Posted May 13, 2008 19:55 UTC (Tue) by welinder (guest, #4699) [Link] (13 responses) 

> This is completely Debian's fault of course [...]

I will leave a little fault for the openssl guys too.  After all, their
program was invoking undefined C behaviour.  When compiled with a
sufficiently nasty compiler, the version of openssl from 2006 would
produce the same key every time.

But as you can see from that blog, openssl guys are not strong on
admitting fault.

Cryptographic weakness on Debian systems

Posted May 14, 2008 4:45 UTC (Wed) by bronson (subscriber, #4806) [Link] (12 responses) 

> When compiled with a sufficiently nasty compiler...

I don't think this is true.  Does the C standard say anywhere that if you read an arbitrary
buffer before ever writing it, then the entire buffer can be ignored forevermore?  Even though
the OpenSSL code is idiotic, even the nastiest C compiler will be obligated to do the right
thing.

> openssl guys are not strong on admitting fault.

That is all too true.  :(  The OpenSSL guys' handling of this incident has been so strange
that I wonder if they're related to OpenBSD somehow...?

Cryptographic weakness on Debian systems

Posted May 14, 2008 8:29 UTC (Wed) by Ross (guest, #4065) [Link] (11 responses) 

> Does the C standard say anywhere that if you read an arbitrary
buffer before ever writing it ...

It says that if you do that, the compiler can do whatever it likes, including removing all of
your files exactly two hours later.  Because of this use of uninitialized memory is a serious
bug, and it is good that they were trying to fix it.  No compiler will intentionally do
something destructive, but agressive optimizations can make the bug spread in very unexpected
ways to other parts of your program.

In practical terms though, there was not a huge problem - the error had only minor effects on
the program.  The fix was not correct and was far worse than the original bug.


> even the nastiest C compiler will be obligated to do the right
thing.

Don't be so sure about that.  The compiler is not obligated to do anything reasonable once you
trigger undefined behavior.  There is certainly no "right" behavior in those cases.

Cryptographic weakness on Debian systems

Posted May 14, 2008 8:56 UTC (Wed) by tialaramex (subscriber, #21167) [Link] (7 responses) 

I'm really not sure than an uninitialised (note, it is properly allocated so there's no chance
of a segfault or similar, it has just not been initialised by the C program) buffer has this
effect in the C standard.

How would the standard distinguish this case from the case where the buffer simply doesn't
belong to the C program ? If my C program looks at the MMIO registers of a PCI card, it
certainly isn't permissible for me to just arbitrarily zero them so that I'm sure they're
initialised...

There is a big difference between behaviour which is implementation defined (and your
implementation should document its behavior) such as the bit patterns of floating point
numbers, and behaviour which the C standard says is altogether undefined and thus you might
reformat your hard disk or start World War III. Clearly

{ char x[40]; x[105] = 'q'; }

is in the latter category, but I'd really want to see chapter and verse quoted before I
believed that the same applies to

{ char m, x[40]; m = x[20]; }

which is the situation we're looking at in OpenSSL.

Cryptographic weakness on Debian systems

Posted May 14, 2008 10:50 UTC (Wed) by nix (subscriber, #2304) [Link] (1 responses) 

`If an object that has automatic storage duration is not initialized explicitly, its value is
indeterminate' combines with a definition of undefined behaviour which includes behaviour
`upon use of... indeterminately valued objects'.

It's pretty clearly undefined.

Cryptographic weakness on Debian systems

Posted May 14, 2008 13:17 UTC (Wed) by endecotp (guest, #36428) [Link] 

Note the "has automatic storage duration" bit in nix's quote.  This is why e.g. reading your
mmap()'d PCI device registers is not undefined.

Cryptographic weakness on Debian systems

Posted May 14, 2008 22:50 UTC (Wed) by dvdeug (subscriber, #10998) [Link] (3 responses) 

> I'd really want to see chapter and verse quoted before I believed that the same applies to

> { char m, x[40]; m = x[20]; }

On real hardware, without any compiler optimizations, both

{float m, x[40]; m = x[20];}

and

{char *m, (*x)[40]; m = x[20];}

can cause the program to crash, as the mere copy of an invalid float or invalid pointer can
generate fatal errors.

Cryptographic weakness on Debian systems

Posted May 15, 2008 6:06 UTC (Thu) by lysse (guest, #3190) [Link] (2 responses) 

A float I can buy, if the FPU trips over an invalid bit pattern - but an invalid pointer?
Educate me, please - cite an instance!

Cryptographic weakness on Debian systems

Posted May 15, 2008 21:38 UTC (Thu) by Ross (guest, #4065) [Link] 

Not all memory spaces are flat, so some pointer values as stored in memory might not be
loadable into the registers that implement them.  (Due to segmentation, typed memory, etc.)

Obviously that doesn't apply to most of the systems in use today (with the exception of
function pointers).

Cryptographic weakness on Debian systems

Posted May 19, 2008 4:38 UTC (Mon) by donwaugaman (subscriber, #4214) [Link] 

On a segmented architecture, load an invalid descriptor into a segment register.  Boom!  Not
on all architectures, of course - I think the 386 family would be safe with this until you
tried to access the segment - but some machines would generate an exception on the load.

Cryptographic weakness on Debian systems

Posted May 15, 2008 2:28 UTC (Thu) by Ross (guest, #4065) [Link] 

I didn't mean that it wasn't properly allocated.

The program is reading data returned by malloc().

Not only can you not trust it to have any specific value (or to be "random"), but it invokes
undefined behavior just like reading an uninitialized local variable.  The only stuff which is
exempt from this is global data (static), or data guaranteed to be initialized by your
environment before your program starts.

> is in the latter category, but I'd really want to see chapter and verse quoted before I
believed that the same applies to
> { char m, x[40]; m = x[20]; }
> which is the situation we're looking at in OpenSSL.

I thought we were talking about malloc()ed memory...

char *x = malloc(20);
printf("%c\n", x[10]);  /* undefined behavior */

If it's a global struct or array, then it should contain all zero bytes -- not uninitialized
at all.

I don't have a copy of the standard, but check in the list of actions which invoke undefined
behavior, in the library section.  A draft I have contains:

"- The value of the object allocated by the malloc function is used"

-Ross

Cryptographic weakness on Debian systems

Posted May 14, 2008 10:46 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses) 

It's even worse than that. Because the Standard does not define the behaviour of a translator
running over code that invokes undefined behaviour, the program could legally remove all your
files *as soon as it started up*. The compiler itself could do it when compiling said code.

In practice, a compiler that did that, or that responded to code invoking undefined behaviour
by buffer-overrunning or imploding in flames, would be considered to have rather big QoI
problems: but it's not unheard of by any means. Remember the GCC `bailing out' message from
days of yore? That was emitted when the compiler *segfaulted*, but was prettied up somewhat in
the vague hope that people wouldn't complain about it. (These days the same problems yield an
'internal compiler error', which *is* considered a bug: but if it happens on invalid code, not
a very important bug.)

Cryptographic weakness on Debian systems

Posted May 14, 2008 14:28 UTC (Wed) by welinder (guest, #4699) [Link] (1 responses) 

> It's even worse than that. Because the Standard does not
> define the behaviour of a translator running over code that
> invokes undefined behaviour, the program could legally remove
> all your files *as soon as it started up*. The compiler itself
> could do it when compiling said code.

In this case, no.  That would require that the translator could
determine that undefined behaviour would happen.  That is not
possible in any, but the most trivial, of programs.  For example,
link with a malloc that always returns NULL -- boring, but ok
for the C standard -- and the problematic code will not be reached.

Cryptographic weakness on Debian systems

Posted May 14, 2008 19:38 UTC (Wed) by nix (subscriber, #2304) [Link] 

There's no requirement for the code incurring undefined behaviour to be 
executed. The Standard imposes requirements on *translators*, and the 
translator sees that code. However, compilation must succeed `unless [the 
translator] can determine that every possible execution of that program 
would result in undefined behavior' (or there's a syntax error or 
constraint violation, neither of which is true here), which could be read 
to imply that if the translator can determine that there are several 
possible ways to interpret some part of a program, some undefined and some 
not, the translator must assume that the not-undefined interpretation 
holds.

This sometimes has incredibly counterintuitive consequences, so as a QoI 
issue it is not always followed. (e.g. in this case I suspect it would be 
permitted for a compiler to spot that the problematic code is not executed 
if malloc() always returns NULL, and expand the appropriate malloc() calls 
inline to a constant NULL on the basis that returning anything else would 
incur undefined behaviour! In practice, this wouldn't get done.)

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:30 UTC (Tue) by lambda (subscriber, #40735) [Link] (2 responses)

There were two lines that the Debian maintainer commented out; one that was pulling in some entropy from uninitialized buffers, and one that was the actual interface to seed the random number generator. It was perfectly reasonable to remove the line that was pulling in entropy from an uninitialized buffer; it was in the ssleay_rand_bytes function, which is supposed to use the provided buffer to output random bytes, and for some reason it happened to be using that uninitialized data to mix a little bit of extra entropy into the pool (you're not going to get very good entropy from that, but it's not particularly harmful, other than making tools like Valgrind complain).

But in the other case, in ssleay_rand_add, the buffer is an input buffer, and it is the very function used to seed the random number generator with actual entropy. Commenting that line out was completely and utterly wrong, and if someone was providing that function with an uninitialized buffer, it's the call site that should have been fixed, not that function. The amazing thing is that this passed whatever review processes Debian has in place, was sent to the openssl-dev mailing list, and still no one noticed. The openssl people are claiming that openssl- dev is the wrong place to send it, but even still, some of the people who replied on that thread have @openssl.org addresses, so it's a fairly reasonable assumption to make that the openssl developers did read that thread and had no problem with the patch.

Cryptographic weakness on Debian systems

Posted May 14, 2008 3:25 UTC (Wed) by drag (guest, #31333) [Link] (1 responses) 

That's pretty funny that the development mailing list ( *-dev == development in every other
mailing list in existance)  is the incorrect place to try to communicate with developers.

Were on OpenSSL's website do they give the correct place to try to talk to developers then?

Cryptographic weakness on Debian systems

Posted May 14, 2008 9:39 UTC (Wed) by branden (guest, #7029) [Link]

Were on OpenSSL's website do they give the correct place to try to talk to developers then?
They don't.

wow.

Posted May 13, 2008 20:56 UTC (Tue) by gvy (guest, #11981) [Link] 

$MAINTAINER should have known what $MAINTAINER was doing 8-(

Another time so glad for our security officer...

HOWTOs please!

Posted May 13, 2008 21:09 UTC (Tue) by endecotp (guest, #36428) [Link] (13 responses) 

Since the Debian page linked from the advisory is still empty, perhaps LWN readers can help
with advice about how to fix this.  Maybe a checklist?  Installing the new version of openssl
doesn't seem to do anything automatically.  How do I cause ssh host keys to be regenerated,
for example?

HOWTOs please!

Posted May 13, 2008 21:21 UTC (Tue) by droundy (guest, #4559) [Link] 

I believe you can just call:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

and in each case say yes to overwrite the existing key, and leave the passphrase blank.  I may
be wrong though, in which case I hope someone will correct me...

HOWTOs please!

Posted May 13, 2008 22:00 UTC (Tue) by jch (guest, #51929) [Link] (11 responses) 

The following information is provided with no guarantee, not even of any kind.

I did the following:

  1. On every machine I have an account on (Debian or not), revoke my old personal keys:

     $ rm ~/.ssh/authorized_keys

  2. Update libssl on all my Debian machines:

     # apt-get update
     # apt-get install libssl0.9.8

  3. Generate new host keys for ssh:

     # rm /etc/ssh/ssh_host_*
     # dpkg-reconfigure openssh-server

  4. Regenerate my personal keys, as RSA this time:

     $ rm ~/.ssh/id_*
     $ ssh-keygen -t rsa

  5. Update my authorized_keys throughout the universe (don't forget sourceforge and any Git
or Darcs repository you can push to).

  6. Regenerate all my SSL certs (web servers, VPNs, IMAP servers, etc.).

Yes, it's a pain.

HOWTOs please!

Posted May 13, 2008 22:28 UTC (Tue) by man_ls (guest, #15091) [Link] (7 responses)

Great info, thanks!

Although I don't understand step 3: "Generate new host keys for ssh". I'm purging my system of DSA keys, and I find that by default my systems identify using RSA keys (as seen in ~/.ssh/known_hosts). This part should be safe then. Why regenerate all host keys? This will only create a new set of (still insecure) DSA keys, which as it seems are not used anyway.

Yes, this specific step 3 leads to a lot of work I'm too lazy to do: erasing all known_hosts files and recreating them. And this is on a small home LAN; on a big network I can imagine it must be a real pain.

HOWTOs please!

Posted May 13, 2008 22:40 UTC (Tue) by joey (guest, #328) [Link] 

The new host keys won't be insecure if you've upgraded openssl before generating them.

Tomorrow's version of openssh-server (in unstable) will automate the host key regeneration, as
well as blocking authentication using weak keys, which will remove some of the pain if you can
stand to wait 8 hours for it to reach the mirrors, and are running unstable. (I hope these
enhancements will later be pushed into stable?)

This document has fairly complete instructions BTW, until the official www.debian.org page
goes up: http://wiki.debian.org/SSLkeys

HOWTOs please!

Posted May 13, 2008 22:46 UTC (Tue) by dskoll (subscriber, #1630) [Link]

If you do not regenerate your host keys, an attacker could pose as your host, leading to a man-in-the-middle attack.

Obviously, you need to regenerate the host keys after upgrading OpenSSL!

HOWTOs please!

Posted May 14, 2008 0:49 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses) 

What's wrong with DSA keys anyway?

HOWTOs please!

Posted May 14, 2008 1:34 UTC (Wed) by bboissin (subscriber, #29506) [Link] (3 responses) 

> What's wrong with DSA keys anyway?
Even if they aren't weak, they are compromised if they were used (the ssh client) in a
affected system (debian, ubuntu). According to the DSA this is due to the fact that "Digital
Signature Algorithm relies on a secret random value used during signature generation".

HOWTOs please!

Posted May 14, 2008 11:12 UTC (Wed) by nix (subscriber, #2304) [Link] (1 responses) 

Well, yes, but that's true of just about any encryption system's keys. The whole point of them
is that they're meant to be unpredictable (hence random). If the randomness is bad, so is the
key, always.

HOWTOs please!

Posted May 14, 2008 13:40 UTC (Wed) by tialaramex (subscriber, #21167) [Link] 

Presumably (please, someone who remembers how this actually works chime in!)

Suppose you create two signing keys, R (using RSA) and D (using DSA) on your nice RHEL 4
machine

It seems like Debian's security people are saying that if you copied these good keys to a
Debian system, and then used them to sign documents, the R key is still fine but the D key is
compromised by the signing process, due to it having poor entropy. That is, a sophisticated
attacker (or a script kiddie with software developed by someone else) could use your old
signatures generated on Debian systems to figure out your DSA private key.

It's certainly true that DSA's signature method explicitly requires unique cryptographically
secure random numbers for each message to be signed. But I don't know whether these numbers
protect the DSA private key, or just the signature itself. If the former, then Debian's
advisory is correct. If we don't know, then we must act as if it is correct and invalidate the
affected keys.

Although DSA and RSA often appear interchangeable to us as end users, they are quite different
in terms of their mathematical properties, so it could easily be true that this problem
affects only DSA.

Re: DSA vs RSA

Posted May 15, 2008 10:21 UTC (Thu) by ldo (guest, #40946) [Link]

As I remember, DSA was invented back when the US government was trying to restrict the use of strong cryptography. The key thing about it was that it was supposedly usable only for digital signatures, not for encryption. This was later proven to be false.

And yet people still use DSA today. So why bother any more? Why not just stick with RSA for both encryption and signing? Isn't this compromise a reason to stop using DSA altogether?

HOWTOs please!

Posted May 14, 2008 10:24 UTC (Wed) by furball4 (guest, #52069) [Link] (2 responses) 

I updated openssl as soon as it was available and then ran ssh-keygen to replace
/root/.ssh/id_rsa and /root/.ssh/id_rsa.pub. But that was before an ssh update was available.
Was key creation fixed at this point, or are my new keys still potentially vulnerable? They
are not flagged by the now-available ssh-vulnkey, but that won't necessarily catch everything.
I also regenerated some SSL certificates, but since that is actually using the openssl
command-line interface it would obviously have been fixed by that point.

In any event, I need to figure out if I have to back and redo personal keys again.

Additionally, the new ssh packages don't give me an option to regenerate host keys, as the
email seemed allude to. I had to do that by hand.

HOWTOs please!

Posted May 14, 2008 10:41 UTC (Wed) by endecotp (guest, #36428) [Link] (1 responses) 

I think you're OK.  The new ssh packages primarily include stuff to check for (and reject?)
vulnerable keys.  The old ssh code itself did not have any problems.

HOWTOs please!

Posted May 14, 2008 16:09 UTC (Wed) by furball4 (guest, #52069) [Link] 

Thanks. I also noticed that the new package did regenerate host keys when the existing ones
ran afoul of the vulnerable key checker. I would have preferred if it had an option to
regenerate them anyway, but oh well, it's easy enough to do by hand.

Cryptographic weakness on Debian systems

Posted May 14, 2008 1:55 UTC (Wed) by KaiRo (subscriber, #1987) [Link] (1 responses) 

Can we be absolutely sure that no other distributor than Debian (which already covers a big
segment together with derivates) did include the patch, given that Debian posted it publicly
two years ago?

Cryptographic weakness on Debian systems

Posted May 14, 2008 2:05 UTC (Wed) by cjwatson (subscriber, #7322) [Link] 

It would certainly be wise for other distributors to check.

Cryptographic weakness on Debian systems

Posted May 14, 2008 9:21 UTC (Wed) by alankila (guest, #47141) [Link] (5 responses) 

Can someone explain why various software seems to be reinventing /dev/random?

Cryptographic weakness on Debian systems

Posted May 14, 2008 11:00 UTC (Wed) by marble (guest, #2719) [Link] 

Because there are two sorts of random numbers that you may need from a system. General random
numbers, which don't need to be truly random, but are fine for various applications such as
statistical modeling, games, etc, and cryptographically random numbers, which really truly
need to be as random as possible. You need entropy to generate the latter, and the more
numbers you generate, the more clues there are to work out what inputs the algorithm had, so
you don't want to just use the latter for everything.

Cryptographic weakness on Debian systems

Posted May 14, 2008 11:01 UTC (Wed) by IkeTo (subscriber, #2122) [Link] 

Because not all software are only run on systems with /dev/random, and /dev/random doesn't
provide all the needed flexibility that some applications (especially those directly dealing
with security) require (e.g., knowing how much entropy it reflects).

Cryptographic weakness on Debian systems

Posted May 14, 2008 11:03 UTC (Wed) by tialaramex (subscriber, #21167) [Link] (1 responses) 

This software does use /dev/random (if configured to do so).

But although it might be tempting to get random numbers by just opening /dev/random and
reading bytes out of it, and although this would, indeed, actually work, it is not the
recommended way to go about things because it depletes a very limited resource, and it's also
not at all portable...

So, OpenSSL and similar software always includes its own entropy pool handling, so that it can
use /dev/random just as a seed (treating the system entropy source as the limited supply that
it is) and also so that it can integrate other entropy sources without having to sprinkle
conditionals for each platform throughout the code.

Perhaps there's a case to be made for "simpler is best" and everything just tapping into
/dev/urandom for its source of random numbers. But there's a price to pay for that, which not
everyone is comfortable with.

Cryptographic weakness on Debian systems

Posted May 14, 2008 21:19 UTC (Wed) by alankila (guest, #47141) [Link] 

What exactly is the price you allude to? Predictability of the random numbers? Some kind of
timing-related attack, because packet arrival times may affect the entropy pool input? A
kernel exploit that allows simultaneous compromise of all applications using the /dev/u?random
file?

Cryptographic weakness on Debian systems

Posted May 14, 2008 11:13 UTC (Wed) by nix (subscriber, #2304) [Link] 

For portability. Lots of OSes don't have it. Lots of other OSes have slightly or seriously
broken /dev/randoms, or /dev/random readable only by root, or something like that.

(Most modern OSes have /dev/random these days, but this certainly was not always the case.)

Not detected by testing

Posted May 14, 2008 11:27 UTC (Wed) by endecotp (guest, #36428) [Link] (2 responses) 

Does openssl have a test suite?  Does it generate a large number of keys and look for
duplicates?

It's easy to suggest this with the benefit of hindsight, and difficult to know whether it
would have been obvious in advance.  But I do know that when I have used hash functions (in
non-security applications) I have sometimes studied whether they are generating sufficiently
well distributed results.

Not detected by testing

Posted May 15, 2008 0:32 UTC (Thu) by erich (guest, #7127) [Link] (1 responses) 

Note that we're talking about the seeding here. The seeding was pretty much done only by the
PID. If you had done a test suite, it would have been very unlikely you had detected a
dependency on the PID except by doing like 32k runs until the same PID is used again.
Even if you had been testing the RNG separately from all other stuff that would seem pretty
much overkill to do some 32k runs of the test app and compare the results for duplicates or
similarities.

Not detected by testing

Posted May 15, 2008 13:19 UTC (Thu) by kevinbsmith (guest, #4778) [Link] 

How about a test that generates two keys in a row, within the same process, and makes sure
they are not identical to each other. If salt is involved, take that into account rather than
doing a bitwise comparison.

That seems like a pretty reasonable test at the library level, to ensure the key really is a
key and not a buffer full of zeros.


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds