Issue No.05 - September/October (2008 vol.6)
David Ahmad , Bombardier Aerospace
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2008.131
A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Unnoticed for two years, the weak PRNG created a crypto-implementation nightmare with wide-ranging consequences that are difficult to repair. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, I'll examine the issue and its consequences.
cryptography, pki, vulnerability, ssl, ssh, Debian, GNU/Linux
David Ahmad, "Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise", IEEE Security & Privacy, vol.6, no. 5, pp. 70-73, September/October 2008, doi:10.1109/MSP.2008.131