Issue No. 05 - September/October (2008 vol. 6)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2008.131
David Ahmad , Bombardier Aerospace
A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Unnoticed for two years, the weak PRNG created a crypto-implementation nightmare with wide-ranging consequences that are difficult to repair. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, I'll examine the issue and its consequences.
cryptography, pki, vulnerability, ssl, ssh, Debian, GNU/Linux
D. Ahmad, "Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise," in IEEE Security & Privacy, vol. 6, no. , pp. 70-73, 2008.