[Box Backup] New openssl packages fix predictable random number generator

Bjarne Carlsen boxbackup@fluffy.co.uk
Thu, 15 May 2008 13:39:46 +0200


> It's reported on the appropriate Debian wiki[1] page that the bugged
> libssl was only generating 2^15 unique keys - if this was exclusively
> due to poor prng seeding then I would expect boxbackup data encryption
> keys to have the same problem.
> 
> (If that makes no sense I refer you to my disclaimer above... ;))

Box Backup does not _really_ fall under the bad spell:

- The key-generation with the rand function is not easily repeatable.
  An attacker will have to determine his attack vector not from a 
  fixed set of generated keys, but from the underlying keystream. 
  While the stream itself may be repeatable and may not be too long,
  (indeed most keystreams are repeatable), the starting point within
  the stream needs to be determined, and that is no trivial task.
- The data are vulnerable only at a few points:
  - In transit, where getting hold of them is not excactly trivial, 
    and where they are easily protected by regenerating certificates
  - On the server, requiring access to the server, together with 
    knowledge of which account holds the vulnerable data
- The keys do not neccessarily have to be unique - just unknown to 
  an attacker - he will not be able to separate strongly protected 
  data from weakly protected, so he will have quite a job set up for
  him.

The way I see it, we are defending against the usual suspects here: The
malicious server operator, anyone from the outside able to gain
privileges on the server and finally outright theft of the whole server.
The man in the middle is not interesting, because of the easiness with
which you can regenerate and re-issue your certificates.
 
Those are culprits, we have been dealing with since time immemorial...

Bjarne