Hello,When this OpenSSL bug was announced our main interest at CESNET was to warn users of our CA. We were thinking about using of keys published by H D Moore <hdm[at]metasploit.com> at the page http://metasploit.com/users/hdm/tools/debian-openssl/
My colleague developed script for converting X509 certificates to SSH key hash. It was strange when we realized that none of issued certificates matched. It is because OpenSSH and OpenSSL blacklist are not compatible. OpenSSH and OpenSSL are using diferent exponent when creating private key.
During experiments with brute force scripts I've discovered that sometimes I get different key. It's probability was two degrees bellow 1st key. I got 100 instances of 1st key and 1 instance of 2nd key. Today with help from Florian Weimer I realized that it is related to concurrent processes and to the ~/.rnd file.
The rule is simple. When the ~/.rnd file doesn't exist I get one key and in other situation I get another (that listed in Ubuntu openssl-blacklist) key. Because of this problem openssl-blacklist has to be twice big than openssh-blacklist. I developed simple shell scripts to generate list of all key lengths we are interested in. They are attached.
I also published full list of compromited keys in lengths 1024 and 2048 for Intel 32bit and 64bit platforms on my website. There is more keys than in Ubuntu blacklist, but I'm missing others. I'm planning to publish 4096 bit keys list tomorrow. I'm not going to publish complete archives of private keys.
My blacklist is located at http://tomasek.cz/software/debian-randomness/openssl-compromited-keys.txt
-- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/
Attachment:
key-gen2.sh
Description: application/shellscript
Attachment:
key-gen2-exec.sh
Description: application/shellscript