Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Oct 2015 23:09:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Prime example of a can of worms

On Wed, Oct 21, 2015 at 10:45 PM, Joshua Rogers <oss@...ernot.info> wrote:

> On 22/10/15 15:27, Kurt Seifried wrote:
> > Ideally we'd like
> > to see people using different primes (e.g. hardware manufacturers not
> using
> > the same primes as everyone else) and where possible people needing more
> > security (e.g. a VPN hosting provider) should generate their own keys
> > securely.
> Could it be possible to generate a new prime in the background, and when
> it has been generated, on the next reboot use that one instead? And if
> there is not enough time for the new prime to be generated, it falls
> back to the old one?
>
> I agree that manufacturers should be using a different prime per, at
> least, batch of products.
>
>
My fear would be device makers getting it horribly wrong on the devices in
question. E.g.:

http://www.theregister.co.uk/2015/10/21/german_govt_mulls_security_tests_of_sohopeless_routers/

Having a large pool of known good primes would be easier for them to use I
suspect. Sadly we can't let perfect be the enemy of the good, or in this
case the "not completely terrible".


>
> Thanks,
> --
> -- Joshua Rogers <https://internot.info/>
>
>


-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ