lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJVRA1Tfiu7N36Smc5GiFJ2p21h9JCOr=QY3JZ59GG4MwHvPcQ@mail.gmail.com>
Date: Wed, 18 Jul 2012 12:35:55 -0700
From: coderman <coderman@...il.com>
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how i stopped worrying and loved the backdoor

On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky <dan@...para.com> wrote:
> ...
> Don't we have hardware RNG in most motherboard chipsets nowadays?

clearly not enough of them!

'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices'
https://factorable.net/weakkeys12.extended.pdf

"""
RSA and DSA can fail catastrophically when used with malfunctioning
random number generators, but the extent to which these problems arise
in practice has never been comprehensively studied at Internet scale.
We perform the largest ever network survey of TLS and SSH servers and
present evidence that vulnerable keys are surprisingly widespread.

We find that 0.75% of TLS certificates share keys due to insufficient
entropy during key generation, and we suspect that another 1.70% come
from the same faulty implementations and may be susceptible to
compromise.

Even more alarmingly, we are able to obtain RSA private keys for 0.50%
of TLS hosts and 0.03% of SSH hosts, because their public keys shared
nontrivial common factors due to entropy problems, and DSA private
keys for 1.03% of SSH hosts, because of insufficient signature
randomness. We cluster and investigate the vulnerable hosts, finding
that the vast majority appear to be headless or embedded devices.
"""

infosec comedy gold :P

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ