On 11/14/2016 03:33 PM, [email protected] wrote:
There is a key missunderstanding here. Having a broken random number
generator is the worst case scenario. But having a number generator with
a minor flaw, will not affect RSA keys, while it will breakt DSA keys.
But with forward secrecy new keys are generated for each session in
which case even RSA keys could be cracked faster than brute force even
if the long term key wasn't cracked and was generated on a machine with
a proper generator.
A single key for a single session, maybe (although as I understand it
RSA is not as easily affected in this case either).
But while with RSA only a session key will be compromised, with (EC)DSA,
the longterm DSA key for authentication will be cracked as well.
I don't know the chance, they will be lower but lets say one in a
thousand operations uses weak randomness.
That would only affect 0.1% of all users of the server with RSA.
Assuming your server has a thousand connections per hour, after that
time everyone will be compromised when DSA is used.
But lets assume there are mitigation that reduce the chance of this
happening to a minimum, making it unlikely to ever occur in 100 years.
It will still be an unneccessary risk.
No idea how low the chances really are.
My understanding the risk with ECDSA can be mitigated by using a
deterministic k and there is an RFC on it.
https://tools.ietf.org/html/rfc6979
_______________________________________________
Ach mailing list
[email protected]
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
