Debian OpenSSL Vulnerability and Diffie Hellman keyExchange
Cryptographic keys are foundation for internet security. They are used in Encryption,Authentication and Digital Signature.
Cryptographic keys are considered to be most secure as they are harder to guess.
The Difficulty of guessing the keys are measured in entropy(The number of bits at least needed to describe it) . Entropy is measured in bits.80 bits and above are considered to be “very secure”.
Windows LanMan hashes are easy to crack(ex:rainbow tables) as their entropy is less than 36 bits.
What is OpenSSL?
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.
The Keys generated by openssl package are often used in TLS/SSL,SSH etc.
Algorithms Implemented in OpenSSL:
OpenSSL supports a number of different cryptographic algorithms:
- Blowfish, Camellia, DES, RC2, RC4, RC5, IDEA, AES
- Cryptographic hash functions
- MD5, MD2, SHA, MDC-2
- Public-key cryptography
- RSA, DSA, Diffie-Hellman key exchange, Elliptic curve
The Debian OpenSSL Vulnerability:
The Debian version of the OpenSSL library was the subject of a security breach discovered in late May 2008 generated keys from a much smaller entropy pool than normal.
Random numbers are used in various cryptographic functions. The linux operating system makes the developers job easier by collecting random events such as the speed at which you type and the exact path at which you move the mouse and store them in /dev/urandom.The developer can use this /dev/urandom instead of coding his own random number generator.The OpenSSL package relies on this /dev/urandom (highly random,provides most of the entropy) and the process Id(just 15 bits depends on architecture) for providing randomness to its cryptographic functions.One of the debian developer tried to prevent Valgrind(Valgrind is a tool to find out memory leaks) warnings related to the use of uninitialized memory within the OpenSSL libraries.He commented out two identical lines of code, however One of which pseudorandom number generator was actually used to add entropy from /dev/urandom to the pool; and so removing it meant that the seed would be taken directly from the process ID, and nothing more.
The result is that there are only 32,767 maximum possible encryption keys for each architecture (such as i386).Its the worst bug debian ever had.Its is easy to brute force and guess the keys.
The affected distributions are Debian 4.0 (Etch) and ubuntu 7.10-8.04(as they are build on debian).
They patched this bug on may 13th its a multi line comment and they simply uncommented the two lines of code .Have a look at the vulnerability and the patch http://tinyurl.com/funnypatch
Diffie Hellman KeyExchange and OpenSSL vulnerability:
Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.
Lets say X and Y are two hosts and they want to exchange keys with diffie hellman keyexchange algorithm
1.X chooses a prime number ‘p’ and base ‘g’
2.Then X chooses a random number ‘a’ which is secret to it
3.X computes ‘A’ and sends A,p,g to Y.
4.Similarly Y chooses a random number ‘b’ which is secret to it
5.Y also computes ‘B’ and send it to X
6.X and Y computes their secret key K using ‘B’ and ‘A’ respectively.
The computation of ‘A’, ‘B’ and ‘K’ are shown in below figure:
In the above Algorithm the Global known (known to all even man in the middle)values are p,g,’A’,’B’
The secret values are the randomly generated a and b
If one needs to guess the key he needs to guess the random numbers either ‘a’ or ‘b’….
Obviously the security of diffie hellman keyexchange algorithm is in randomness of ‘a’ and ‘b’.If we use the vulnerable version of openssl, our random number is limited to 32,767 keys.So its easy to bruteforce and guess them.
The worst part of this vulnerability is that if you are using distributions other than debian and ubuntu and say i am secure then its not true…because its the nature of diffie hellman keyexchange.
Let me explain this,lets say an vulnerable ubuntu host X exchanges keys with a clean fedora host Y using diffie hellman keyexchange. Even though the fedora is not vulnerable there are chances that secret key exchanged between fedora and ubuntu can be compromised,because an attacker can make a guess on vulnerable ubuntu’s secret key ‘a’ using A(which is easily guessable because of vulnerable openssl ubuntu) .
We can get around this problem by using blacklisting the vulnerable keys, and generating the new keys using patched openssl. There is and whole wiki available at debians website about what are all the applications affected and how to blacklist keys etc.
Here is the link: