On 2008-05-14, Joseph Ashwood
msn.com> wrote:> "Ignoramus17861"
wrote in message
> news:mcKdndL0Xr01PbfVnZ2dnUVZ_qzinZ2d@giganews.com...>>> "A weakness has been discovered in the random number generator used by
>>> OpenSSL on Debian and Ubuntu systems. As a result of this weakness,
>>> certain encryption keys are much more common than they should be, such
>>> that an attacker could guess the key through a brute-force attack given
>>> minimal knowledge of the system. This particularly affects the use of
>>> encryption keys in OpenSSH."
>
>> Well, my question was, what opportunities for attackes does this
>> provide?
>
> You should consider this to remove all security of SSH, and any other
> program that uses the dev random pool. It isn't quite that bad, but it is
> very close.
What do you mean, "remove all security of SSH".
Do you mean that this mistake fully undermined SSH security?
>>
>> Let's say that I often ssh from
alice.example.com to
bob.example.com
>> using authorized_keys, and the attacker is able to read the encrypted
>> traffic.
>>
>> Would the attacker be able to guess my keys and log on to
>>
bob.example.com?
>
> If
bob.example.com uses the compromised implementation then the attacker can
> do anything. The attacker can impersonate bob, the attacker can read all
> messages sent to bob, the attacker can go back and read any recorded
> transactions. Basically any trusted communication to or from bob is
> completely compromised.
> Joe
>
And, even more specifically, an attacker who knows a permitted
username, could log on as that username and do anything?
--
Due to extreme spam originating from Google Groups, and their inattention
to spammers, I and many others block all articles originating
from Google Groups. If you want your postings to be seen by
more readers you will need to find a different means of
posting on Usenet.
http://improve-usenet.org/
