Re: Plans to deploy openssl-blacklist in Debian?

To: Kees Cook <kees@outflux.net>
Cc: debian-security@lists.debian.org, Jamie Strandboge <jamie@ubuntu.com>, team@security.debian.org
Subject: Re: Plans to deploy openssl-blacklist in Debian?
From: "Felipe Augusto van de Wiel (faw)" <faw@funlabs.org>
Date: Fri, 16 May 2008 16:11:42 -0300
Message-id: <[🔎] 482DDC6E.7050509@funlabs.org>
In-reply-to: <[🔎] 20080516093402.GA12850@outflux.net>
References: <[🔎] 200805150952.10853.vladislav.kurz@webstep.net> <[🔎] 20080515222550.GE19648@samad.com.au> <[🔎] 0BE0C8B2-23FC-4CE2-A5C0-AE460428CAB9@salk.edu> <[🔎] 482CD5DD.70505@funlabs.org> <[🔎] 20080516093402.GA12850@outflux.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 16-05-2008 06:34, Kees Cook wrote:
> On Thu, May 15, 2008 at 09:31:25PM -0300, Felipe Augusto van de Wiel (faw) wrote:
>> 	Speaking about that, are there plans to deploy
>> openssl-blacklist in Debian as an official package?
> 
> I'd be happy to get the Ubuntu blacklists into Debian -- honestly I
> haven't had time yet (travelling, Ubuntu responsibilities, etc).
> 
> Given the sizes of the various blacklists, I'd like to perhaps provide
> multiple packages.  The openssh-blacklist was a balance between size and
> default-generated keys.  I'd like to add packages for -rsa1024 and
> -rsa4096, etc.  This could be done for openssl too, I think.
> 
> There has been some confusion (well, lack of public information) about
> generating the blacklists.  Since this is mostly public now with H D
> Moore's site[1], the random number streams were affected by three
> things:
> 
>  1) process ID
>  2) sizeof(long)
>  3) endian-ness
> 
> Presently, every combination of these for default dsa1024 and rsa2048
> went into openssh-blacklist.  openssl-blacklist contains one additional
> case: the existence of the .rnd file, which added another binary state,
> doubling the size of those blacklists.
> 
> Then finally we could have a -all that installed all of them if someone
> wanted it.
> 
> openvpn also needs blacklists, since it is another unique key generation
> package.  There may be others beyond that.  Jamie Strandboge (Cc'd)
> has been researching the blacklists (and built the ssl and openvpn
> blacklists in Ubuntu).
> 
> -Kees
> 
> [1] http://metasploit.com/users/hdm/tools/debian-openssl/

	I don't know if Security Team is aware of it or is
working on it, since they are quite busy, I'm cc:ing them
so they are aware of it. I saw that Alberto Gonzalez also
commented about OpenVPN blacklist on debian-security.

Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFILdxuCjAO0JDlykYRCIBNAJwL+kBMmNse+hDyuWvqgh6ApRyZkQCeJeGb
M1upZWgECxoNNjRa75PIvMo=
=1bRe
-----END PGP SIGNATURE-----

Reply to:

References:
- ssh-vulnkey and authorized_keys
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: ssh-vulnkey and authorized_keys
  - From: Alex Samad <alex@samad.com.au>
- Re: ssh-vulnkey and authorized_keys
  - From: Chris Adams <cadams@salk.edu>
- Plans to deploy openssl-blacklist in Debian? (was: Re: ssh-vulnkey and authorized_keys)
  - From: "Felipe Augusto van de Wiel (faw)" <faw@funlabs.org>
- Re: Plans to deploy openssl-blacklist in Debian? (was: Re: ssh-vulnkey and authorized_keys)
  - From: Kees Cook <kees@outflux.net>

Prev by Date: Re: Thanks to Debian OpenSSL developers
Next by Date: Re: Thanks to Debian OpenSSL developers
Previous by thread: Re: Plans to deploy openssl-blacklist in Debian? (was: Re: ssh-vulnkey and authorized_keys)
Next by thread: Re: ssh-vulnkey and authorized_keys
Index(es):
- Date
- Thread