Yves Rutschle wrote:
On Wed, May 28, 2008 at 07:55:35PM +1200, Deane Sloan wrote:
Finally - how real is this concern? What is the probability that say a
2048bit generated key could fall into the 32,767 keys in the metasploit
SSH example on unaffected systems?
32,768 = 2^15
number of 2048 bit keys: 2^2048
I think that's really oversimplified. If you look at the OpenSSL RSA key
generator, you'll notice that RSA keys are built from 2 prime numbers of 1024
bits. Well not really 1024 bits but 1022 bits because top and bottom bit are
always set. Also not all 2^1022 odd numbers between 2^1023 + 1 and 2^1024 - 1
are prime numbers.
Also those prime numbers are generated using the output of the OpenSSL RNG
which is commonly (assuming no entropy from uninitialized memory, which should
be the case on Linux, and no .rnd file) seeded only with the 2^15 bit PID and
ENTROPY_NEEDED (32) bytes from urandom. This would mean an upper limit
2^(15+256) = 2^271 keys that can be generated from OpenSSL (within those
parameters).
Probability that a "proper" key falls in the space of the
"bad debian" keys: 2^15 / 2^2048 = 1 / 2^2033.
That's a lot of zeros before the first non-zero digit.
I get 2^15 / 2^271 = 1 / 2^256 which is a lot less impressive than your figure
but still a very small probability.
Sincerely,
--
Mathias Brossard
begin:vcard
fn:Mathias Brossard
n:Brossard;Mathias
org:OpenTrust;R&D
email;internet:[EMAIL PROTECTED]
title:Senior Architect
x-mozilla-html:FALSE
version:2.1
end:vcard
