Back to Ingo Naumann's Homepage --- No translation available

The Keys of the 2008 Debian OpenSSL Vulnerability


Some time ago, I was investigating the Debian OpenSSL bug #1571 (for an explanation of that bug see [1][2]). Since I was interested not only in the mainstream keys (2048 bits and lower) but the longer keys as well, I had to generate a large amount of keys. For those of you who are still interested in the Debian OpenSSL bug I have put them here on the website. The bug was found and fixed three years ago (May 2008), so these keys will hardly be in use anywhere anymore (and how to generate them hasn't been a secret since the discovery of the bug anyway) but might still have some value for academic purposes. And it takes long to generate them unless you have some powerful machines at hand. Especially the longer keys are not contained in the usual blacklists.

There exists a range of different keys, a good description of the different types can be found in the paper from Yilek, Rescorla, Shacham, Enright, and Savage:

Because the binary representation in memory of certain values is added to the entropy pool, not a canonical repre- sentation, our key generation must account for the target platform's endianness and native word size. In addition, the presence of a file called .rnd in the user's home directory affects the behavior of OpenSSL's command-line utilities. If it is present, its contents are added to the entropy pool. Accordingly, we must generate two sets of keys: ones assuming the presence of .rnd, one its absence. (Because of the Debian bug, the contents of the randomness file are not consulted; all 1024-byte files produce the same result.) When .rnd is missing, versions of OpenSSL before and after 0.9.8f have different behavior that we must again account for. Debian- derived distributions shipped versions with both behaviors, so we must account for both. [3]

It is true that the content of the .rnd file does not have an effect on the result, but the size does, or to be more exact, the size in kilobytes. So, a 1024-byte .rnd file produces a result different from that of a 2048-byte .rnd file. In addition to that, the use of the "-rand" option yields different key sets, again only depending on the size of the seed file in kilobytes.
The "-3" option of the openssl command which changes the exponent of the RSA key from 65537 to 3 produces, of course, a different set of keys. However, these keys have the same modulo (just the exponent is different) so that it is not necessary to generate all keys using this option. Just keep in mind that comparing two keys based on their hash value would not work if one them was generated using the "-3" option but not the other. You have to compare only the moduli if you want to avoid this problem.
Using the file ubunturoot.tar [2] I generated keys for each of the 32768 possible PIDs, on each of three platforms (little-endian 32-bit, big-endian 32-bit, and little- endian 64-bit), for each of three .rnd conditions (present; missing, old behavior; missing, new behavior). I also generated keys using the sshkeygen command instead of openssl.

The filename of each key file is encoded as follows:

inkey- + [one of each of the following codes + "-"]

a) Key generation command: openssl [OSSL] or sshkeygen [SSHK];
d) Key lengths: 768, [0768], 1024 [1024], 2048 [2048], 3072 [3072], 4096 [4096]
c) Three different architectures have to be considered: "normal" PC architecture or little-endian 32 bit [X86]; PowerPC architecture or big-endian 32 bit [PPC]; and little-endian 64 bit [64B]
d) .rnd file: did exist during key generation [RND] or did not exist [NOR]
e) OpenSSL version older than 0.9.8f [OLD] or newer [NEW]; if the .rnd file did exist during key generation this is irrelevant [XXX], therefore only three out of four possible combinations exist: [RND-XXX], [NOR-OLD], [NOR-NEW]
f) "-rand" option: none, 1k file, 2k file, .... [XXXX, RAND0, RAND1, RAND2, ....]
g) Exponents: not relevant []
h) Process ID (PID): 0 to 32768 [00000 .... 32768]
i) [REG] ("regular"); for future use

Example: inkey-OSSL-3072-X86-RND-XXX-RAND1-00042-REG

The Keys

Each .tar file contains the 32768 keys for all process IDs.

3072 bits:

OpenSSL, X86 architecture, with .rnd file, no "-rand" option
OpenSSL, X86 architecture, no .rnd file, new OpenSSL version, no "-rand" option
OpenSSL, X86 architecture, no .rnd file, old OpenSSL version, no "-rand" option
OpenSSL, X86 architecture, no .rnd file, old OpenSSL version, "-rand" option with 3k seed file
OpenSSL, PowerPC architecture, with .rnd file, no "-rand" option
sshkeygen, X86 architecture

4096 bits:

OpenSSL, X86 architecture, no .rnd file, new OpenSSL version, no "-rand" option
OpenSSL, X86 architecture, no .rnd file, old OpenSSL version, no "-rand" option

References

[1] Debian Security Advisory: DSA-1571-1 openssl -- predictable random number generator, reported 13 May 2008, http://www.debian.org/security/2008/dsa-1571
[2] HD Moore: OpenSSL Predictable PRNG Toys, http://digitaloffense.net/tools/debian-openssl/
[3] Yilek, Scott; Rescorla, Eric; Shacham, Hovav; Enright, Brandon; Savage, Stefan: When Private Keys are Public: Results from the 2008 OpenSSL Vulnerability, IMC'09, November 4-6, 2009, Chicago, Illinois, USA
Last revision: May 28th, 2011 -- Impressum

Valid HTML 4.01!