Kees Cook wrote:
The rule is simple. When the ~/.rnd file doesn't exist I get one key and
in other situation I get another (that listed in Ubuntu
openssl-blacklist) key. Because of this problem openssl-blacklist has to
be twice big than openssh-blacklist. I developed simple shell scripts to
generate list of all key lengths we are interested in. They are attached.
Yes, this was realized during the generation of the openssl-blacklist in
Ubuntu. We're expecting to have the more complete lists published soon,
for all 3 architectures.
I discovered that there is also 3rd key which you get if you pass empty
file by -rand. Keys created in this way are still the same so it's
another possible compromised key. I'm not sure if it worth spend time on
counting this keys...
I also published full list of compromited keys in lengths 1024 and 2048
for Intel 32bit and 64bit platforms on my website. There is more keys
than in Ubuntu blacklist, but I'm missing others. I'm planning to
publish 4096 bit keys list tomorrow. I'm not going to publish complete
archives of private keys.
Thanks! We can verify our lists against yours to make sure we're all on
the same page. :)
I deleted that one big file and published files split by architecture
and key length:
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_1024_x86_32.txt
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_1024_x86_64.txt
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_2048_x86_32.txt
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_2048_x86_64.txt
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_4096_x86_32.txt
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_4096_x86_64.txt
They are all complete now. 4096 took longer than I was expecting.
What is your 3rd architecture? On Ubuntu pages I see only PC (Intel x86)
desktop CD and 64-bit PC (AMD64) desktop CD?
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
