* Simon Valiquette <[EMAIL PROTECTED]> [2008-05-14 16:36-0400]: > >> Affected keys include SSH keys [...] and session keys used > > in SSL/TLS connections. > > It seems that people are insisting quite a lot on the bad keys, but > what worry me a lot more is that, apparently and very logically, past ssh > connections and any SSL session keys are to be considered compromised. > > In other words, if a vulnerable key have been involved, and if someone > was able to intercept and save the encrypted data, he/she can now > decipher It, whether It is passwords, ssh sessions, secure pop/smtp > sessions, ssl tunnels or even database transactions. So you need to > change every passwords at risk (bothersome, but relatively easy), but > also consider that secure/confidential information, including credit card > transactions or whatever, have been disclosed, which is a much bigger > problem.
SSH traffic cannot be compromised that way. Basically the encryption key used for the SSH session is *not* the host key nor the client key itself, but it is created on session initiation using a Diffie-Helman key exchange and the host/client keys are just used to verify the authenticity of the server. In other words, ssh sessions are not compromised just because an adversary has the host keys (unless a MITM is setup, in which case you need bot the host key and the authentication key to perform a mitm attack). micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
