Le 06/01/2014 20:20, manu%netbsd.org@localhost a écrit :
Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost> wrote:> And if the attacker can test it remotely, we should be able to > test it locally with access to the private key, or am I missing > something? I do not understand that part -- what do you mean? Collecting entropyinformation through side channels like TCP ack/seq numbers, SYN cookies,... ?If the attacker is able to factor a key using knowledge of skewed PRNG,then we should be able to do the same in order to test key strength. Andsince such a test would ran locally, it could have unlimited access to crypto generated using the private key.
Disclaimer: not a cryptographer, so you should ask the ones out there (Colin? :) ).
First things first: having access to the private key will give you all you need anyway: P, Q (the primes), modulus (N), D (private exponent) and E (public one, 65537 99% of the time). They are stored with the private key:
$ openssl rsa -noout -text -in .ssh/id_rsaThe problem gets harder when you did not store P and Q (cipher/decipher requires only N, D, and E). Getting back P and Q when N, D, E are known seems non trivial to me (better ask a crypto for this).
A "skewed" PRNG matters when you originally select P and Q: you have to get them at random, so someone has no way to know which ones are picked up in a given range ( [2^511, 2^512] for example). A skewed PRNG will not pick them "randomly". So your attacker will try to generate primes knowing the weaknesses of your PRNG. That part is important: you _have_ to know how the PRNG behaves in addition to its state.
In your case the only way to test the "strength" of your key set is: - to get P and Q back (easy: see above);- have a test that verify they are not trivial given the knowledge you have about the PRNG.
I am not aware of such a test for Lunix's PRNG, even less so for the NetBSD/FreeBSD one.
-- Jean-Yves Migeon