Kees Cook wrote:
The rule is simple. When the ~/.rnd file doesn't exist I get one key and in other situation I get another (that listed in Ubuntu openssl-blacklist) key. Because of this problem openssl-blacklist has to be twice big than openssh-blacklist. I developed simple shell scripts to generate list of all key lengths we are interested in. They are attached.Yes, this was realized during the generation of the openssl-blacklist in Ubuntu. We're expecting to have the more complete lists published soon, for all 3 architectures.
I discovered that there is also 3rd key which you get if you pass empty file by -rand. Keys created in this way are still the same so it's another possible compromised key. I'm not sure if it worth spend time on counting this keys...
I also published full list of compromited keys in lengths 1024 and 2048 for Intel 32bit and 64bit platforms on my website. There is more keys than in Ubuntu blacklist, but I'm missing others. I'm planning to publish 4096 bit keys list tomorrow. I'm not going to publish complete archives of private keys.Thanks! We can verify our lists against yours to make sure we're all on the same page. :)
I deleted that one big file and published files split by architecture and key length:
http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_1024_x86_32.txt http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_1024_x86_64.txt http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_2048_x86_32.txt http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_2048_x86_64.txt http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_4096_x86_32.txt http://pocitace.tomasek.cz/debian-randomness/openssl-compromited-keys.rsa_4096_x86_64.txt They are all complete now. 4096 took longer than I was expecting.What is your 3rd architecture? On Ubuntu pages I see only PC (Intel x86) desktop CD and 64-bit PC (AMD64) desktop CD?
-- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/