Researcher: Debian cryptography may be flawed

A security researcher has warned that cryptographic keys generated in the last year and a half using Debian OpenSSL may be invalid.

HD Moore, director of research for network-security company BreakingPoint Systems, posted details of the compromise on Metasploit.com on Wednesday.

According to Moore, a bug in a Debian OpenSSL package was created in 2006 by the removal of a piece of code, which was taken out to stop the Valgrind and Purify security tools producing warnings about certain code linked to OpenSSL.

However, the removal of this line of code had the side effect of "crippling" the pseudo-random number generator (PRNG) in OpenSSL, wrote Moore. Instead of using random data to generate basic "seed" values for keys, the OpenSSL PRNG used the current process ID, a unique process identifier. The problem is that, in Linux, the default maximum process ID is 32,768, meaning the seed value could be overcome by brute force, or systematically applying different values in the range 0 to 32,768.

"On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations," wrote Moore. "When creating a new key for OpenSSH [which uses OpenSSL], there are only 32,767 possible outcomes for a given architecture, key size and key type. The reason is that the only 'random' data being used by the PRNG is the ID of the process."

Once the seed value of a possible key was known, Moore developed a process to generate the keys themselves. Moreover, the researcher published a complete list of cracked 1,024-bit DSA keys, and 2,048 and 4,096-bit RSA keys, and said he intends to make a brute-force tool available "in the near future".

Moore wrote that the effects of the flaw could be wide-ranging, including the need to revoke and regenerate any keys created on a Debian system.

"In the case of SSL keys, all generated certificates will be need to recreated and sent off to the certificate authority to sign," wrote Moore. "Any certificate authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public-key authentication need to audit those keys to see if any of them were created on a vulnerable system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption, and a man-in-the-middle attack would be invisible to the users."

Bojan Zdrnja, a researcher for security-training organisation the Sans Institute, wrote in a blog post that this flaw is "very scary", as any cryptographic material created on Debian systems could be now cracked.

"The bottom line is: this is very, very, very serious and scary," wrote Zdrnja. "Keep in mind that any cryptographic material created on vulnerable systems can be compromised. If you generated SSL keys on such Debian or Ubuntu systems, you will have to recreate the certificates and get them signed again. An attacker can even decrypt old SSH sessions now. Please check your systems and make sure that you are both patched and that you regenerated any potentially weak cryptographic material."