>> There is a key missunderstanding here. Having a broken random number >> generator is the worst case scenario. But having a number generator with >> a minor flaw, will not affect RSA keys, while it will breakt DSA keys. > > But with forward secrecy new keys are generated for each session in > which case even RSA keys could be cracked faster than brute force even > if the long term key wasn't cracked and was generated on a machine with > a proper generator.
A single key for a single session, maybe (although as I understand it RSA is not as easily affected in this case either). But while with RSA only a session key will be compromised, with (EC)DSA, the longterm DSA key for authentication will be cracked as well. I don't know the chance, they will be lower but lets say one in a thousand operations uses weak randomness. That would only affect 0.1% of all users of the server with RSA. Assuming your server has a thousand connections per hour, after that time everyone will be compromised when DSA is used. But lets assume there are mitigation that reduce the chance of this happening to a minimum, making it unlikely to ever occur in 100 years. It will still be an unneccessary risk. No idea how low the chances really are. _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
