Debian and Ubuntu Users: Fix Your Keys
Online merchants who have used a Debian-based operating system to generate secure sockets layer (SSL) certificates for encrypting customer communications should check to make sure the private key needed to decrypt those transactions isn't already posted on the Web for all to see.
Normally, even if an attacker is able to intercept https:// traffic between a commercial Web site and a customer, the bad guy is unable to make sense of it without the private key held by the Web site owner. But new research published this week points to a weakness in Debian's cryptographic process that potentially gives eavesdroppers the tools to quickly discover the key needed to unlock https:// transactions and view the traffic in plain text.
Most cryptographic systems work by generating a set of public and private keys, with the trick to generating strong, virtually unbreakable keys being randomness. The process starts with an extremely long random number -- known as a "seed" -- that is fed into various mathematical algorithms to generate two keys -- one that is shared with the public (i.e., anyone who attempted to connect to the https:// site), and one that is kept private by the site owner and used to decrypt the incoming traffic and transaction data).
On Tuesday, the Debian project said there had been a slight problem with the randomness portion of that equation. Apparently, one line of code in the component used to create random seeds was coughing up strange error or warning messages for a subset of Debian users, and at some point, developers simply removed the troublesome line of code. But in doing so, they inadvertently reduced the number of random seed values from a near infinite number down to 32,768 possibilities. To compound the situation, a security researcher has released a tool that could be used by attackers to quickly deduce the private key from the subset of the 32,768 possibilities.
This means that any commercial sites using cryptographic key generated with a Debian based operating system (including the popular Ubuntu and xUbuntu systems) between Sept. 2006 and this week need to go back and regenerate those keys. This includes not only SSL keys, but secure shell (SSH) keys typically used to securely log in to computer systems over the Internet.
The comments to this entry are closed.