[Box Backup] New openssl packages fix predictable random number generator

Chris Wilson boxbackup@fluffy.co.uk
Wed, 14 May 2008 19:26:29 +0200 (CAT)


Hi Wolfgang,

On Wed, 14 May 2008, Wolfgang Trexler wrote:

> does this debian-openssl bug affect boxbackup when running on a debian 
> machine?  ==> http://www.us.debian.org/security/2008/dsa-1571
>
> If the boxbackup keys where generated on a debian machine, does that 
> mean the server store is "crackable"?
>
> The debian advise is to change any keys generated on a debian machine, but 
> given the concept of boxbackup a change of keys would demand to completely 
> delete the store and newly backup the data. (Which will generate a lot of 
> traffic and is not the same as the history is lost...)
>
> Am I right with my assumptions?

Partly. It looks like clients running Debian may have generated poor keys 
for their accounts, which may make it possible for an attacker to log into 
their accounts. Similarly, a Debian server may have generated weak server 
keys that would allow an attacker to impersonate a server.

However the data encryption key is probably not vulnerable to this attack 
and therefore your data should be safe even if your account is 
compromised.

Changing certificate keys is not painful, but changing data encryption 
keys is.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |