Computer build lists Cisco Comcast FCC Intel Microsoft Network Management Network Neutrality Security Verizon
Written by: George Ou 5/15/2008 7:00 AM
One day after the Debian Linux project announced a massive flaw where its implementation of OpenSSL key generators only used 15 bits of entropy (32,768 combinations), HD Moore (creator of Metasploit) has released a tool to exploit it. Nate McFeters has a good write up here on this matter. Because this bug is involves very obscure cryptographic concepts and the severity and scope of the flaw wasn't easily understood, it didn't really get a whole lot of media coverage. Now that the flaw can be exploited in Metasploit, the issue should get some attention. The flaw stems from the fact that the PRNG (Pseudo Random Number Generator) was crippled leaving it with only 32768 combinations to test. That means all RSA and DSA cryptographic keys generated by Debian and Ubuntu Linux distributions are effectively worthless. The impact of this exploit is massive and it can easily affect non-Linux systems like Windows or Mac if those computers have a Root Certificate generated from a Debian/Ubuntu computer. Any asymmetric crypto keys generated between September 2006 and 5/13/2008 on Debian or Ubuntu Linux distributions are affected. Every affected key needs to be revoked and regenerated. System administrator and security professionals everywhere should start auditing their computer for this very serious weakness as soon as possible. Update 4:32:PM c0uchw4rrior in comments below asked: "You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?" This is a great question that I feel needs to be addressed in the body of the blog. It's important to understand that Verisign and GoDaddy never creates your certificates; they merely sign the public key you generated. Your computer generated the public/private key-pair and this is what is at risk if you used a Debian/Ubuntu machine to generate the keys in the last 17 months. So if you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck! You have to recreate the certificates and buy the signature from them again!
One day after the Debian Linux project announced a massive flaw where its implementation of OpenSSL key generators only used 15 bits of entropy (32,768 combinations), HD Moore (creator of Metasploit) has released a tool to exploit it. Nate McFeters has a good write up here on this matter.
Because this bug is involves very obscure cryptographic concepts and the severity and scope of the flaw wasn't easily understood, it didn't really get a whole lot of media coverage. Now that the flaw can be exploited in Metasploit, the issue should get some attention.
The flaw stems from the fact that the PRNG (Pseudo Random Number Generator) was crippled leaving it with only 32768 combinations to test. That means all RSA and DSA cryptographic keys generated by Debian and Ubuntu Linux distributions are effectively worthless.
The impact of this exploit is massive and it can easily affect non-Linux systems like Windows or Mac if those computers have a Root Certificate generated from a Debian/Ubuntu computer. Any asymmetric crypto keys generated between September 2006 and 5/13/2008 on Debian or Ubuntu Linux distributions are affected. Every affected key needs to be revoked and regenerated. System administrator and security professionals everywhere should start auditing their computer for this very serious weakness as soon as possible.
Update 4:32:PM
c0uchw4rrior in comments below asked: "You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?" This is a great question that I feel needs to be addressed in the body of the blog. It's important to understand that Verisign and GoDaddy never creates your certificates; they merely sign the public key you generated. Your computer generated the public/private key-pair and this is what is at risk if you used a Debian/Ubuntu machine to generate the keys in the last 17 months. So if you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck! You have to recreate the certificates and buy the signature from them again!
8 comments so far...
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless This is bloody frightening, that's all I have to say.J.Ja
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless
This is bloody frightening, that's all I have to say.J.Ja
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless George,You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?
George,You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless mysterious1der, you can download the blacklist of SSL cert fingerprints and check the major trusted root CAs against it yourself...
mysterious1der, you can download the blacklist of SSL cert fingerprints and check the major trusted root CAs against it yourself...
If you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck! "You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?"Verisign and GoDaddy doesn't create your certs; they sign them for you. It's the public/private key-pair you generated that's at risk if you used a Debian/Ubuntu machine to generate the keys in the last 17 months. So if you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck! Time to re-generate and buy again!
If you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck!
"You mention Root Certs in the last paragraph. Does that include SSL web certs from Verisign/GoDaddy, etc?"Verisign and GoDaddy doesn't create your certs; they sign them for you. It's the public/private key-pair you generated that's at risk if you used a Debian/Ubuntu machine to generate the keys in the last 17 months. So if you paid $1000 to Verisign last month for them to sign a few certificates, you're out of luck! Time to re-generate and buy again!
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless Big certificate authorities do have their own certificates of course, which you check to validate their signatures on other certs. Engineers at the German company Cynops tested public keys at all the major certificate authorities and found none affected.
Big certificate authorities do have their own certificates of course, which you check to validate their signatures on other certs. Engineers at the German company Cynops tested public keys at all the major certificate authorities and found none affected.
The root certs at the public CAs aren't affected, but if you bought a cert from them with your own generated keys Thanks for that link Larry.The root certs at the public CAs aren't affected, but if you bought a cert from them with your own generated public/private keys using a vulnerable implementations with a crippled random number generator, then you have to regenerate the keys and re-purchase your certificates.People get confused with a Verisign Root Certificate (the private keys that they supposedly guard with their lives) and the Verisign Certificate that they buy.
The root certs at the public CAs aren't affected, but if you bought a cert from them with your own generated keys
Thanks for that link Larry.The root certs at the public CAs aren't affected, but if you bought a cert from them with your own generated public/private keys using a vulnerable implementations with a crippled random number generator, then you have to regenerate the keys and re-purchase your certificates.People get confused with a Verisign Root Certificate (the private keys that they supposedly guard with their lives) and the Verisign Certificate that they buy.
Re: All 2006-2008 Debian & Ubuntu crypto keys worthless One of the great affermations of my decades old policy to "Use the vanilla version." Many distributions these days (If not all) ship with their own patches and modifications to core software. The problem, especially when you're dealing with what is of necessity highly convoluted, complex, and esoteric code, is that very few programmers are going to actually understand it fully. This opens the can of worms we're seeing affected here.While there are some good points to making the argument "But if I use $VENDOR's applications and distribution, they've already been run through a QA and interop test phase"; the end result is this - You're relying on somebody else jumping in the middle, making a modification, and doing it correctly. And I'm sorry, but it always has and still does open the door to this kind of incredibly damaging mistake.For an example with regards to using things other people set up - How many web servers are even configured to *support* nifty things like ephemeral diffie-helman key exchanges?
One of the great affermations of my decades old policy to "Use the vanilla version." Many distributions these days (If not all) ship with their own patches and modifications to core software. The problem, especially when you're dealing with what is of necessity highly convoluted, complex, and esoteric code, is that very few programmers are going to actually understand it fully. This opens the can of worms we're seeing affected here.While there are some good points to making the argument "But if I use $VENDOR's applications and distribution, they've already been run through a QA and interop test phase"; the end result is this - You're relying on somebody else jumping in the middle, making a modification, and doing it correctly. And I'm sorry, but it always has and still does open the door to this kind of incredibly damaging mistake.For an example with regards to using things other people set up - How many web servers are even configured to *support* nifty things like ephemeral diffie-helman key exchanges?
It looks like it won't be easy to find all the affected certificates via auditing http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/page2.html“Tools available from Ubuntu and Metasploit author HD Moore are designed to aid in the process of detecting weak keys, but Appelbaum, the independent researcher, says certain conditions will prevent even diligent searches from finding everything. For example, keys with nonstandard sizes may not be flagged even though they're vulnerable."What that means is you have tools that may cover large swaths of the key space, but they won't cover all of the key space," he says.”
It looks like it won't be easy to find all the affected certificates via auditing
http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/page2.html“Tools available from Ubuntu and Metasploit author HD Moore are designed to aid in the process of detecting weak keys, but Appelbaum, the independent researcher, says certain conditions will prevent even diligent searches from finding everything. For example, keys with nonstandard sizes may not be flagged even though they're vulnerable."What that means is you have tools that may cover large swaths of the key space, but they won't cover all of the key space," he says.”
Adrian's PC Doctor blog Deb Shinder's blog Deb Shinder on Vista Dietrich T. Schmit on Linux Erratasec blog - Security Ed Bott on Microsoft Jason Hiner's blog John Carroll Justin James' developer blog Matt Sherman's blog Martin McKeay Paul Mah, Tech at play Richard Bennett's blog Sunbelt Blog - Security Tom Shinder on ISA Tom Shinder on security ZDNet - Zero day Rich Tehrani - VoIP