Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

David Ahmad

doi:10.1109/MSP.2008.131

Security&Privacy
2008
Issue No. 5 - September/October
Abstract - Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by David Ahmad

Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

September/October 2008 (vol. 6 no. 5)

pp. 70-73

	ASCII Text	x
	David Ahmad, "Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise," IEEE Security & Privacy, vol. 6, no. 5, pp. 70-73, September/October, 2008.

	BibTex	x
	@article{ 10.1109/MSP.2008.131, author = {David Ahmad}, title = {Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise}, journal ={IEEE Security & Privacy}, volume = {6}, number = {5}, issn = {1540-7993}, year = {2008}, pages = {70-73}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2008.131}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise IS - 5 SN - 1540-7993 SP70 EP73 EPD - 70-73 A1 - David Ahmad, PY - 2008 KW - cryptography KW - pki KW - vulnerability KW - ssl KW - ssh KW - Debian KW - GNU/Linux VL - 6 JA - IEEE Security & Privacy ER -

David Ahmad, Bombardier Aerospace

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2008.131

A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Unnoticed for two years, the weak PRNG created a crypto-implementation nightmare with wide-ranging consequences that are difficult to repair. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, I'll examine the issue and its consequences.

Index Terms:

cryptography, pki, vulnerability, ssl, ssh, Debian, GNU/Linux

Citation:

David Ahmad, "Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise," IEEE Security & Privacy, vol. 6, no. 5, pp. 70-73, Sept.-Oct. 2008, doi:10.1109/MSP.2008.131

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.