Hi! On Sat, May 17, 2008 at 04:18:07PM +0200, ropers wrote: >2008/5/17 Curt Micol <[EMAIL PROTECTED]>: >> http://leaf.dragonflybsd.org/mailarchive/kernel/2008-05/msg00038.html
>> Here is some more information including a list of keys: >> http://metasploit.com/users/hdm/tools/debian-openssl/ >> Thought I'd share. It's possible I am wrong and this isn't a good >> idea, but I can't think of any reason why it isn't. >I can actually think of an entirely theoretical reason why the >exclusion of the affected keys could conceivably, hypothetically be >considered to be disadvantageous: It reduces the key space; i.e. >future attackers of systems that have blacklisted these keys might >know that they have a few less combinations to try. It excludes 32k or 64k possibilities out of *how many*? Frankly, how many 512 or even more bit primes numbers are there? (You generate two roughly 512 bit primes for a 1024 bit RSA key, that's the main grounds for the key space of 1024 RSA keys.) See http://en.wikipedia.org/wiki/Prime_number#Counting_the_number_of_prime_numbers_below_a_given_number for a basic reference on that question: The *rough* estimate is, the number of prime numbers below n is roughly n/ln n. So the number of 512 bit prime numbers is roughly (2^512 / ln 2^512) - (2^511 / ln 2^511). The base 2 logarithm of that, according to bc, is about 502. So we have about 502 bits of entropy to spend on *one* of the primes. If we exclude 2^16 of them, so what? Even if we excluded 2^501 of them, we'd still have 501 bits of entropy left. >[...] Kind regards, Hannah.
