[dm-crypt] Low Entropy key generation revisited

Arno Wagner arno at wagner.name
Wed Feb 15 20:54:45 CET 2012


There are currently two result being published on RSA keys 
found in the wild. As the problem of low-entropy 
(e.g. initial boot) situations has been discussed here,
I thought somebody may be interested in this.

Bottom line is that OpenSSL key-generation can produce
weak RSA keys with non-negliable probability when doing the
key-generation in an entropy-starved situation and that 
devices with these weak keys can be found and attacked 
efficiently. This does require gathering a lot (ideally
all) RSA keys in use.

Fix is to use better entropy-gathering, even if it takes 
time. Also, non-RSA keys are not affected by this specific 
attack (but their security does still suffer when they
are generated incorrectly in an entripoy-starved situation).

Note that LUKS is not affected by this new attack as it 
does not use RSA keys. For the effects of a low-entropy
situation on LUKS, see the mailing list archives. Plain 
dm-crypt is not affected by entropy-gathering at all.

Arno

----

References:
1. Good short explanation on freedom-to-tinker by research 
   group 2 (read this first):
   https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs  

2. Paper by research group 1:
   http://eprint.iacr.org/2012/064

3. Original and followup Slashdot articles:
   http://it.slashdot.org/story/12/02/14/2322213/998-security-for-real-world-public-keys
   http://it.slashdot.org/story/12/02/15/1540212/factorable-keys-twice-as-many-but-half-as-bad

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list