On Thu, Jul 26, 2001 at 10:44:54AM -0500, David Gadbois wrote:
> The changelog for OpenSSL 0.9.6-9 indicates that there were updates to
> the random number generator. Should I replace static host keys
> generated with ssh-keygen? Or does the change only impact session keys?
The bug allows an attacker, through a particular pattern of usage, to
determine the internal state of the PRNG. With that information, it's
possible to reliably predict which data it will generate later.
I don't think you can do that if you generated the key with ssh-keygen,
since the process that generated it, and the PRNG instance it was using,
are both long gone.
But then, I'm not an expert, but the OpenSSL group's advisory says this:
It is unlikely for applications to request PRNG bytes in a pattern
allowing for the attack against the OpenSSL PRNG. Typically,
applications will request PRNG bytes in larger chunks.
No applications is known to us which is actually vulnerable.
Cheers,
Nalin
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
