[CentOS] OpenSSL/SSH Bug on Debian - Compromised key pairs

Thu May 15 16:59:22 UTC 2008
MHR <mhullrich at gmail.com>

On Thu, May 15, 2008 at 5:27 AM, Daniel de Kok <me at danieldk.org> wrote:
> Jikes, rereading this, this does not seem accurate at all. Let me just
> quote the advisory:
> "Furthermore, all DSA keys ever used on affected Debian systems for
> signing or authentication purposes should be considered compromised;
> the Digital Signature Algorithm relies on a secret random value used
> during signature generation."

That made perfect sense to me:  If all the compromised systems used
the same (unrandomized) seed for the values of k, it would not be too
difficult for the determined cracker to break keys given enough CPU
power and an algorithm that could generate the exact same series of k
values (i.e., use the same "random" number generator, all of which are
NOT random if you know the seed).  All they need is one of the two
algorithms in Steinar's note, and goodbye security!

In theory, this same approach could be used to break any SSL keys, but
"guessing" the appropriate k value is roughly 2^128 times more
difficult (which is the whole point).