On Mon, May 19, 2008 at 01:09:25AM +0200, Jan Tomasek wrote: > My colleague developed script for converting X509 certificates to SSH > key hash. It was strange when we realized that none of issued > certificates matched. It is because OpenSSH and OpenSSL blacklist are > not compatible. OpenSSH and OpenSSL are using diferent exponent when > creating private key.
That's correct -- this is true for OpenVPN as well. > The rule is simple. When the ~/.rnd file doesn't exist I get one key and > in other situation I get another (that listed in Ubuntu > openssl-blacklist) key. Because of this problem openssl-blacklist has to > be twice big than openssh-blacklist. I developed simple shell scripts to > generate list of all key lengths we are interested in. They are attached. Yes, this was realized during the generation of the openssl-blacklist in Ubuntu. We're expecting to have the more complete lists published soon, for all 3 architectures. > I also published full list of compromited keys in lengths 1024 and 2048 > for Intel 32bit and 64bit platforms on my website. There is more keys > than in Ubuntu blacklist, but I'm missing others. I'm planning to > publish 4096 bit keys list tomorrow. I'm not going to publish complete > archives of private keys. Thanks! We can verify our lists against yours to make sure we're all on the same page. :) -Kees -- Kees Cook Ubuntu Security Team -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
