On Thu, May 15, 2008 at 5:27 AM, Daniel de Kok me@danieldk.org wrote:
Jikes, rereading this, this does not seem accurate at all. Let me just quote the advisory:
"Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."
That made perfect sense to me: If all the compromised systems used the same (unrandomized) seed for the values of k, it would not be too difficult for the determined cracker to break keys given enough CPU power and an algorithm that could generate the exact same series of k values (i.e., use the same "random" number generator, all of which are NOT random if you know the seed). All they need is one of the two algorithms in Steinar's note, and goodbye security!
In theory, this same approach could be used to break any SSL keys, but "guessing" the appropriate k value is roughly 2^128 times more difficult (which is the whole point).
mhr