Randomly Broken Randomness

No, it’s not a news item anymore. Nevertheless, after scores of revocation requests came in at the StartCom CA because of a vulnerability in the pseudo random number generator of Debian’s OpenSSL package and dozens of news site reported this stupidity, I can’t hold myself back anymore. The developers of Debian apparently decided to fix OpenSSL without consulting nor informing the original developers about their “fix“, which left the basic security of those system vulnerable. OpenSSL is used for creating private keys and certificate requests and the base for many applications which rely on cryptography, like SSH, VPN and anything based on x.509 SSL certificates. The folks at Debian deprived with their fix the OpenSSL utility of any unassigned memory which it needs for its random number generation. The result of this fix is, that the randomness of those keys are only in the range from 1 to 32,768, the number of possible Linux process identification numbers. For cryptography purposes, this range of number is like a bad joke. Anyone who knows something about cracking can work up a routine to automatically bust it within a few hours.

In a brute-force attack, simplified this goes about something like this (click below):

Now this vulnerability affects potentially millions of servers and I expect tens of thousands of SSL secured web sites to be vulnerable. Not only that, I’m sure that there are critical services and infrastructures affected as well. One could say, that good security starts with good random numbers and that’s why we use at StartCom for this purpose a real hardware based random number generator (RNG) as a high-quality source to seed the entropy pool. Software based RNG’s like the ones provided by OpenSSL are so-called pseudo random number generator, which aren’t as good as hardware based ones (and besides that, it’s almost needless to say that we use StartCom Linux servers and not Debian). Private keys for server certificates which were generated by the StartCom CA (which is offered as an option) make use of this hardware based RNG and are very unpredictable. The software further tests the randomness and the key is delivered in encrypted form using AES-256-CBC algorithm - again by using a hardware based accelerator.

Should you run a Debian system and be affected by this, I suggest to read this guide for fixing Debian. Another advice to all the ones wanting to secure their websites, mail servers and VPN connections: Check carefully whom you trust for your certificates. There are some out there, you really shouldn’t! Some (service providers) have never heard of hardware based RNG’s nor do they care too much about your security either. But they are willingly risking your security on a volunteer basis….think about it!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
Spoofing SSL in Firefox 3
The Added Value

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!