Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.

To: debian-security@lists.debian.org
Subject: Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
From: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>
Date: Thu, 15 May 2008 01:14:58 +0200
Message-id: <[🔎] g0frpi$nio$1@ger.gmane.org>
References: <[🔎] 20080514224051.GA31804@roeckx.be>

Kurt Roeckx <kurt@roeckx.be> wrote:
> So my question is, does either the ssh client or server use openssl to
> generate the random number used to sign?

Yes, they both do.
ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally
goes down to ssleay_rand_add() (via dsa_sign_setup()->BN_rand_range()->
RAND_add()->RAND_SSLeay()).
And ssh_dss_sign(), in turn, is used via key_sign() in the ssh server
as well as the client.

regards
   Mario
-- 
The secret that the NSA could read the Iranian secrets was more
important than any specific Iranian secrets that the NSA could
read.                           -- Bruce Schneier

Reply to:

Follow-Ups:
- Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
  - From: "Andrew McGlashan" <andrew.mcglashan@affinityvision.com.au>
- Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
  - From: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>

References:
- DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness
Next by Date: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
Previous by thread: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
Next by thread: Re: DSA/DSS keys and DSA 1576-1/CVE-2008-0166.
Index(es):
- Date
- Thread