NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: WARNING pseudorandom rekeying

Le 06/01/2014 20:20, a écrit :
Jean-Yves Migeon <> wrote:

> And if the attacker can test it remotely, we should be able to
> test it locally with access to the private key, or am I missing
> something?

I do not understand that part -- what do you mean? Collecting entropy
information through side channels like TCP ack/seq numbers, SYN cookies,
... ?

If the attacker is able to factor a key using knowledge of skewed PRNG,
then we should be able to do the same in order to test key strength. And
since such a test would ran locally, it could have unlimited access to
crypto generated using the private key.

Disclaimer: not a cryptographer, so you should ask the ones out there (Colin? :) ).

First things first: having access to the private key will give you all you need anyway: P, Q (the primes), modulus (N), D (private exponent) and E (public one, 65537 99% of the time). They are stored with the private key:

$ openssl rsa -noout -text -in .ssh/id_rsa

The problem gets harder when you did not store P and Q (cipher/decipher requires only N, D, and E). Getting back P and Q when N, D, E are known seems non trivial to me (better ask a crypto for this).

A "skewed" PRNG matters when you originally select P and Q: you have to get them at random, so someone has no way to know which ones are picked up in a given range ( [2^511, 2^512] for example). A skewed PRNG will not pick them "randomly". So your attacker will try to generate primes knowing the weaknesses of your PRNG. That part is important: you _have_ to know how the PRNG behaves in addition to its state.

In your case the only way to test the "strength" of your key set is:
- to get P and Q back (easy: see above);
- have a test that verify they are not trivial given the knowledge you have about the PRNG.

I am not aware of such a test for Lunix's PRNG, even less so for the NetBSD/FreeBSD one.

Jean-Yves Migeon

Home | Main Index | Thread Index | Old Index