Thank you Victor for your succinct clarification and to David and Michael for their responses.
To tie this off - is it fair to say that the impact of say 2048bit RSA SSL(etc) using a private key in the affected range is a valid consideration/concern, however in combination with the likelihood stated, the overall risk of generating such a key on an unaffected system is (extremely?) small for the security that a 2048bit RSA private key is intended for? Chuckle - so I'm basically worried about getting struck by lightening with this concern, whilst at the same time I'm playing with matches and kerosene... Thanks again, Deane -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Thursday, May 29, 2008 3:37 AM To: openssl-users@openssl.org Subject: Re: Wider fallout from Debian issue? On Wed, May 28, 2008 at 08:09:16AM -0700, Michael Sierchio wrote: > David Schwartz wrote: > > > ... Suppose I include a randomish > >string in my message "46e8bd8ceae57f8b7af66536e7859bad". Any attacker > >might see this message -- it's public. So he can certainly try that > >string as your password. So will you now run off and add it to a > >blacklist, since it's clearly now a weak password? > > I suppose the distinction between "known" and "weak" is too fine a > semantic point for you? If there exists a known subset of keys large enough for random keys to have appreciable probability of being a member of that set, the keyspace is too small. The RSA keyspace is not "small" in this sense, in fact because it succumbs to *analytic* attacks long before exhaustive key-space search brute-force attacks, the odds of a random RSA key being in a small set of keys are rediculously low. The OP's concern is unwarranted. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
