LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-20-2013, 08:56 AM   #1
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora/Pop!_OS
Posts: 2,873

Rep: Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547
with RSA saying the NSA has put a backdoor in their code when


is linux going to update and remove the broken code inserted by the NSA in the rsa PRNG?

http://www.bbc.co.uk/news/technology-24173977

http://rt.com/usa/nsa-weak-cryptography-rsa-110/

and many more examples out there on the facts:

Quote:
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRNG [cryptographic keys generator] and move to a different PRNG [Pseudo-random Number Generator],” warned RSA’s letter, as quoted by The Wall Street Journal.
and what can we do NOW while waiting on the kernel devs to make the changes?
 
Old 09-20-2013, 10:02 AM   #2
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,592

Rep: Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931
Quote:
Originally Posted by lleb View Post
is linux going to update and remove the broken code inserted by the NSA in the rsa PRNG?
I haven't seen anywhere that this PRNG was in linux.
 
Old 09-20-2013, 02:08 PM   #3
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora/Pop!_OS
Posts: 2,873

Original Poster
Rep: Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547
i dont know and dont even know were to start looking for that PRNG. all i know is that i use rsa keys for keyless ssh access all the time for both personal and business use. id like to be reassured that those keys are not generated via this broken code that allows the NSA and others to just walk in when ever they damn well please.
 
Old 09-20-2013, 02:34 PM   #4
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,592

Rep: Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931Reputation: 1931
Quote:
Originally Posted by lleb View Post
all i know is that i use rsa keys
The articles you linked are talking about a company called RSA Security, not the RSA algorithm.

Given that problems with Dual_EC_DRNG were uncovered back in 2007, it seems strange that anyone is still using it now...

See also: Who uses Dual_EC_DRBG?
 
Old 09-20-2013, 03:32 PM   #5
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Is this what is being asked about?
http://nakedsecurity.sophos.com/2013...oing-you-dont/
 
Old 09-20-2013, 04:41 PM   #6
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora/Pop!_OS
Posts: 2,873

Original Poster
Rep: Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547Reputation: 547
well as long as those backdoors are not used in Fedora/RHEL ill be abit more at ease.
 
Old 09-20-2013, 04:49 PM   #7
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Quote:
Originally Posted by lleb View Post
well as long as those backdoors are not used in Fedora/RHEL ill be abit more at ease.
We can never know for certain, but I would assume that the three-letter-agencies can break into anything you have one way or another.
I wouldn't worry though -- if they want what you have they'll take it anyway and if they don't then you're just one of a herd and the likelihood of them using you as a scapegoat is the same as for anyone else. In fact, if you do go ahead and strengthen your crypto more than most you're just drawing a target on yourself for them to label you a "terrorist" or "pedophile".
The battle is lost -- the rubber hose and water-board is more powerful than any computer.
 
Old 09-20-2013, 07:29 PM   #8
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,763

Rep: Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362Reputation: 3362
Kind of skewed comments. Just because there is a hole in their security doesn't mean NSA put it there and the articles don't suggest it. It also doesn't mean every good hacker and hacker country isn't already aware of RSA's flawed software.
 
Old 09-20-2013, 07:39 PM   #9
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Quote:
Originally Posted by jefro View Post
Kind of skewed comments. Just because there is a hole in their security doesn't mean NSA put it there and the articles don't suggest it. It also doesn't mean every good hacker and hacker country isn't already aware of RSA's flawed software.
RSA seem to get as close to saying "The NSA put this back door in" as they think they can get away with.
The US agencies have made it abundantly clear in the past that they insist on a back door into any crypto and are well known for bribery, corruption and unconstitutional behaviour when looking for corporate intelligence.
 
Old 09-21-2013, 02:57 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by ntubski View Post
Given that problems with Dual_EC_DRNG were uncovered back in 2007, it seems strange that anyone is still using it now...
Of particular note is the second link you posted because it leads to http://csrc.nist.gov/groups/STM/cavp...g/drbgval.html. OpenSSL is on the list and sure it had Dual_EC_DRBG tested but only as one out of four DBRGs, unlike McAffee and Microsoft the latter of which chose to test only two DRBGs for Windows 8 of which the comment for Dual_EC_DRBG reads "...to permit the use of FIPS 140-2 Level 1 compliant cryptography". As discussed elsewhere using Dual_EC_DRBG isn't the default for performance reasons alone so the choice must be deliberate one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RSA SecurID: RSA Web Agent, integration of RSA auth page Linux_Kidd General 1 08-28-2013 05:59 PM
LXer: Does the NSA's SE Linux code need a review? LXer Syndicated Linux News 1 07-24-2013 08:15 AM
(Source code for) linux C RSA base64? maikeerdai Linux - Newbie 1 09-18-2012 04:09 AM
H article: Vsftpd backdoor discovered in source code fskmh Slackware 1 07-04-2011 01:55 PM
LXer: OpenBSD code audit uncovers bugs, but no evidence of backdoor LXer Syndicated Linux News 0 12-23-2010 05:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration