Kyle Hamilton wrote:
This is correct. There is also an additional mitigating factor: the
private key files themselves (either in plaintext or ciphertext) are
never seen by any attacker. The keys generated by the vulnerable
versions of Debian are vulnerable simply because they have low
entropy, and can thus be easily guessed.
This means that neither your passphrase nor information related to the
use of your passphrase should ever have been exposed by your
Debian-based systems, regardless of whether your keys were generated
by a vulnerable installation.
(I suggest obtaining additional verification before relying on this
assessment. I assume, though, that you're asking because it would be
difficult to change all the places that your current passphrase is
recorded; I might also suggest, as a matter of practical security,
that it might be a good idea to identify all the places the passphrase
is used and write them down in the event that some more pressing
reason is found in the future to change it -- such as an employee with
privileged access leaves your organization.)
Thanks for the information. Someone else suggested (off the list) that it
would be best to assume that the passwords are compromized anyway.
Hence I went ahead and replaced all the passphrases, which has you
suggest has the added benefit of identifying who knows which passphrase.
Thanks to all who replied!
Laurent Birtz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
