Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Study #1 *"Ron was wrong, Whit is right"* *Arjen K. Lenstra and James P. Hughes and Maxime Augier and Joppe W. Bos and Thorsten Kleinjung and Christophe Wachter* Abstract http://eprint.iacr.org/2012/064/ Paper (short form) http://eprint.iacr.org/2012/064.pdf Reported in NYT as http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=2&hp=&pagewanted=all. Good quick overview * http://arstechnica.com/business/news/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security.ars * but ... *Study #2** **IT MAY BE LARGELY VPN/EMBEDDED ISSUE ? * New research: There's no need to panic over factorable keys -- just mind your Ps and Qs * https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs * * Nadia Heninger* Zakir Durumeric, Eric Wustrow, Alex Halderman, February 15th, 2012 at 2:16 am You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. [ *We* ] have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. ... this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It's certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.) Unfortunately, we've found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.... Many, but not all, of the vulnerable keys were generated by OpenSSL and OpenSSH, which calls OpenSSL's RSA key generation code.?
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |