The perils of security tools

Ben Laurie ben at links.org
Thu May 15 12:14:17 EDT 2008 

Paul Hoffman wrote:
> At 10:25 AM +0100 5/15/08, Ben Laurie wrote:
>> Paul Hoffman wrote:
>>> I'm confused about two statements here:
>>>
>>> At 2:10 PM +0100 5/13/08, Ben Laurie wrote:
>>>> The result of this is that for the last two years (from Debian's 
>>>> "Edgy" release until now), anyone doing pretty much any crypto on 
>>>> Debian (and hence Ubuntu) has been using easily guessable keys. This 
>>>> includes SSH keys, SSL keys and OpenVPN keys.
>>>
>>> . . .
>>>
>>>> [2] Valgrind tracks the use of uninitialised memory. Usually it is 
>>>> bad to have any kind of dependency on uninitialised memory, but 
>>>> OpenSSL happens to include a rare case when its OK, or even a good 
>>>> idea: its randomness pool. Adding uninitialised memory to it can do 
>>>> no harm and might do some good, which is why we do it. It does cause 
>>>> irritating errors from some kinds of debugging tools, though, 
>>>> including valgrind and Purify. For that reason, we do have a flag 
>>>> (PURIFY) that removes the offending code. However, the Debian 
>>>> maintainers, instead of tracking down the source of the 
>>>> uninitialised memory instead chose to remove any possibility of 
>>>> adding memory to the pool at all. Clearly they had not understood 
>>>> the bug before fixing it.
>>>
>>> The second bit makes it sound like the stuff that the Debian folks 
>>> blindly removed was one, possibly-useful addition to the entropy 
>>> pool. The first bit makes it sound like the stuff was absolutely 
>>> critical to the entropy of produced keys. Which one is correct?
>>
>> They removed _all_ entropy addition to the pool, with the exception of 
>> the PID, which is mixed in at a lower level.
> 
> I take it that these are not 128-bit, non-monotonic PIDs. :-)
> 
> The bigger picture is that distributions who are doing local mods should 
> really have an ongoing conversation with the software's developers. Even 
> if the developers don't want to talk to you, a one-way conversation of 
> "we're doing this, we're doing that" could be useful.

That doesn't scale very well, though - which is why my position is that 
they should avoid local mods.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list