with RSA saying the NSA has put a backdoor in their code when
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRNG [cryptographic keys generator] and move to a different PRNG [Pseudo-random Number Generator],” warned RSA’s letter, as quoted by The Wall Street Journal.
and what can we do NOW while waiting on the kernel devs to make the changes?
i dont know and dont even know were to start looking for that PRNG. all i know is that i use rsa keys for keyless ssh access all the time for both personal and business use. id like to be reassured that those keys are not generated via this broken code that allows the NSA and others to just walk in when ever they damn well please.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,610
Rep:
Quote:
Originally Posted by lleb
well as long as those backdoors are not used in Fedora/RHEL ill be abit more at ease.
We can never know for certain, but I would assume that the three-letter-agencies can break into anything you have one way or another.
I wouldn't worry though -- if they want what you have they'll take it anyway and if they don't then you're just one of a herd and the likelihood of them using you as a scapegoat is the same as for anyone else. In fact, if you do go ahead and strengthen your crypto more than most you're just drawing a target on yourself for them to label you a "terrorist" or "pedophile".
The battle is lost -- the rubber hose and water-board is more powerful than any computer.
Kind of skewed comments. Just because there is a hole in their security doesn't mean NSA put it there and the articles don't suggest it. It also doesn't mean every good hacker and hacker country isn't already aware of RSA's flawed software.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,610
Rep:
Quote:
Originally Posted by jefro
Kind of skewed comments. Just because there is a hole in their security doesn't mean NSA put it there and the articles don't suggest it. It also doesn't mean every good hacker and hacker country isn't already aware of RSA's flawed software.
RSA seem to get as close to saying "The NSA put this back door in" as they think they can get away with.
The US agencies have made it abundantly clear in the past that they insist on a back door into any crypto and are well known for bribery, corruption and unconstitutional behaviour when looking for corporate intelligence.
Given that problems with Dual_EC_DRNG were uncovered back in 2007, it seems strange that anyone is still using it now...
Of particular note is the second link you posted because it leads to http://csrc.nist.gov/groups/STM/cavp...g/drbgval.html. OpenSSL is on the list and sure it had Dual_EC_DRBG tested but only as one out of four DBRGs, unlike McAffee and Microsoft the latter of which chose to test only two DRBGs for Windows 8 of which the comment for Dual_EC_DRBG reads "...to permit the use of FIPS 140-2 Level 1 compliant cryptography". As discussed elsewhere using Dual_EC_DRBG isn't the default for performance reasons alone so the choice must be deliberate one.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.