[dm-crypt] Low Entropy key generation revisited
Arno Wagner
arno at wagner.name
Wed Feb 15 20:54:45 CET 2012
There are currently two result being published on RSA keys
found in the wild. As the problem of low-entropy
(e.g. initial boot) situations has been discussed here,
I thought somebody may be interested in this.
Bottom line is that OpenSSL key-generation can produce
weak RSA keys with non-negliable probability when doing the
key-generation in an entropy-starved situation and that
devices with these weak keys can be found and attacked
efficiently. This does require gathering a lot (ideally
all) RSA keys in use.
Fix is to use better entropy-gathering, even if it takes
time. Also, non-RSA keys are not affected by this specific
attack (but their security does still suffer when they
are generated incorrectly in an entripoy-starved situation).
Note that LUKS is not affected by this new attack as it
does not use RSA keys. For the effects of a low-entropy
situation on LUKS, see the mailing list archives. Plain
dm-crypt is not affected by entropy-gathering at all.
Arno
----
References:
1. Good short explanation on freedom-to-tinker by research
group 2 (read this first):
https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
2. Paper by research group 1:
http://eprint.iacr.org/2012/064
3. Original and followup Slashdot articles:
http://it.slashdot.org/story/12/02/14/2322213/998-security-for-real-world-public-keys
http://it.slashdot.org/story/12/02/15/1540212/factorable-keys-twice-as-many-but-half-as-bad
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
More information about the dm-crypt
mailing list