On Wed, May 28, 2008 at 6:47 PM, Deane Sloan <[EMAIL PROTECTED]> wrote: > To tie this off - is it fair to say that the impact of say 2048bit RSA > SSL(etc) using a private key in the affected range is a valid > consideration/concern, however in combination with the likelihood > stated, the overall risk of generating such a key on an unaffected > system is (extremely?) small for the security that a 2048bit RSA private > key is intended for? > > Chuckle - so I'm basically worried about getting struck by lightening > with this concern, whilst at the same time I'm playing with matches and > kerosene...
I'd say: extremely small. Despite all the collected entropy on a good box, it has to produce the _exact_ same state as such a Debian box. This is _very_ highly unlikely. So play on, just watch the weather and most importantly: your matches. ;-) I use a simple rule for my own dealings regarding this, given my security paranoia mixed with a sufficiently painful lack of cryptography-oriented math to be sure of anything more than this: Anything (such as passwords) which has been used on an *actual* 'compromized box' (be it one of 'those Debian' releases or otherwise) to _generate_ keys plus any keys _produced_ on such a compromised box must be eradicated and are not allowed entry. Anything derived from them will be lost or must be re-encrypted/re-created on a 'good system'. Given the behaviour of a proper OpenSSL installation (which collects sufficient entropy before generating anything that's cryptographically sensitive), anything coming from somewhere else is a-okay. Assuming I'm 'safe' using the rule described above (and over the years I've used it, it seems to do), it comes down to this: - if you can prove (e.g. by creating them yourself) that the private keys you are using do not originate from a compromized [Debian?] system, you can do anything and will be fine. (this is another way of saying: no need to check any keys generated by yourself on non-compromised systems; keys are independent, so they may /look/ like the others but they are not, thanks to the different entropy/random state that led to these keys.) - if you use passwords to protect keys, etc. and have not used them on a compromized system, again, you are fine. (and if you used a password on a compromized system: if you did not send anything derived from those through keygeneration+communications or otherwise on such a box, and destroyed the box (e.g. by replacing the compromized software) before anything could get out, you're still fine. An 'invisible mistake' is a mistake never made.) Hope this helps. Please correct me if I made mistakes. -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]