[dm-crypt] Low Entropy key generation revisited
arno at wagner.name
Wed Feb 15 20:54:45 CET 2012
There are currently two result being published on RSA keys
found in the wild. As the problem of low-entropy
(e.g. initial boot) situations has been discussed here,
I thought somebody may be interested in this.
Bottom line is that OpenSSL key-generation can produce
weak RSA keys with non-negliable probability when doing the
key-generation in an entropy-starved situation and that
devices with these weak keys can be found and attacked
efficiently. This does require gathering a lot (ideally
all) RSA keys in use.
Fix is to use better entropy-gathering, even if it takes
time. Also, non-RSA keys are not affected by this specific
attack (but their security does still suffer when they
are generated incorrectly in an entripoy-starved situation).
Note that LUKS is not affected by this new attack as it
does not use RSA keys. For the effects of a low-entropy
situation on LUKS, see the mailing list archives. Plain
dm-crypt is not affected by entropy-gathering at all.
1. Good short explanation on freedom-to-tinker by research
group 2 (read this first):
2. Paper by research group 1:
3. Original and followup Slashdot articles:
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt