On Feb 20, 2012, at 8:38 AM, Jakob Bohm wrote: > On 2/17/2012 10:16 PM, Wim Lewis wrote: >> Even aside from TPM or other HSMs, hardware random number generators have >> been a common feature of PC motherboard chipsets for a decade or so. I >> assume, perhaps optimistically, that the /dev/?random devices that modern >> OSs provide make use of these RNGs as well as other system entropy sources >> (interrupt timing and so on). > Unfortunately not! [....]
How disappointing. :( Good to know, though. > Some [low-entropy keys] could also be from the Debian/Ubuntu bug I mentioned > in an earlier post. The paper mentions that they found some keys that were on the Debian/Ubuntu blacklist, but it sounds like these do not account for the weak keys they found: "21419 X.509 certificates and PGP keys are affected [factorable due to shared factors]. Note that affected moduli are much more frequently shared than non-affected ones. None of the affected moduli are blacklisted." (With more data, that number went up to 26965.) Their other numbers: 30099 n-values were found on the Debian/Ubuntu blacklist, but only 2 immediately factorable; 71024 n-values are shared by more than one certificate, but many of those instances are intentional/benign. Nadia Heninger has a post on Freedom-to-Tinker ( https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs ). She's not one of the authors of the Lenstra paper but is part of a different group that was doing similar research and finding similar results. From that post: > this problem mainly affects various kinds of embedded devices such as routers > and VPN devices, not full-blown web servers. [....] > > So which systems are vulnerable? Almost all of the vulnerable keys were > generated by and are used to secure embedded hardware devices such as routers > and firewalls, not to secure popular web sites such as your bank or email > provider. Only one of the factorable SSL keys was signed by a trusted > certificate authority and it has already expired. [....] > > Embedded devices are well known to have entropy problems. However, until now > it wasn't apparent how widespread these problems were in real, > Internet-connected devices. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
