There are currently two result being published on RSA keys found in the wild. As the problem of low-entropy (e.g. initial boot) situations has been discussed here, I thought somebody may be interested in this. Bottom line is that OpenSSL key-generation can produce weak RSA keys with non-negliable probability when doing the key-generation in an entropy-starved situation and that devices with these weak keys can be found and attacked efficiently. This does require gathering a lot (ideally all) RSA keys in use. Fix is to use better entropy-gathering, even if it takes time. Also, non-RSA keys are not affected by this specific attack (but their security does still suffer when they are generated incorrectly in an entripoy-starved situation). Note that LUKS is not affected by this new attack as it does not use RSA keys. For the effects of a low-entropy situation on LUKS, see the mailing list archives. Plain dm-crypt is not affected by entropy-gathering at all. Arno ---- References: 1. Good short explanation on freedom-to-tinker by research group 2 (read this first): https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs 2. Paper by research group 1: http://eprint.iacr.org/2012/064 3. Original and followup Slashdot articles: http://it.slashdot.org/story/12/02/14/2322213/998-security-for-real-world-public-keys http://it.slashdot.org/story/12/02/15/1540212/factorable-keys-twice-as-many-but-half-as-bad -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt