[dm-crypt] Low Entropy key generation revisited

Arno Wagner arno at wagner.name
Wed Feb 15 20:54:45 CET 2012

There are currently two result being published on RSA keys 
found in the wild. As the problem of low-entropy 
(e.g. initial boot) situations has been discussed here,
I thought somebody may be interested in this.

Bottom line is that OpenSSL key-generation can produce
weak RSA keys with non-negliable probability when doing the
key-generation in an entropy-starved situation and that 
devices with these weak keys can be found and attacked 
efficiently. This does require gathering a lot (ideally
all) RSA keys in use.

Fix is to use better entropy-gathering, even if it takes 
time. Also, non-RSA keys are not affected by this specific 
attack (but their security does still suffer when they
are generated incorrectly in an entripoy-starved situation).

Note that LUKS is not affected by this new attack as it 
does not use RSA keys. For the effects of a low-entropy
situation on LUKS, see the mailing list archives. Plain 
dm-crypt is not affected by entropy-gathering at all.



1. Good short explanation on freedom-to-tinker by research 
   group 2 (read this first):

2. Paper by research group 1:

3. Original and followup Slashdot articles:

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

More information about the dm-crypt mailing list