Date: Wed, 21 Oct 2015 23:09:16 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Prime example of a can of worms On Wed, Oct 21, 2015 at 10:45 PM, Joshua Rogers <oss@...ernot.info> wrote: > On 22/10/15 15:27, Kurt Seifried wrote: > > Ideally we'd like > > to see people using different primes (e.g. hardware manufacturers not > using > > the same primes as everyone else) and where possible people needing more > > security (e.g. a VPN hosting provider) should generate their own keys > > securely. > Could it be possible to generate a new prime in the background, and when > it has been generated, on the next reboot use that one instead? And if > there is not enough time for the new prime to be generated, it falls > back to the old one? > > I agree that manufacturers should be using a different prime per, at > least, batch of products. > > My fear would be device makers getting it horribly wrong on the devices in question. E.g.: http://www.theregister.co.uk/2015/10/21/german_govt_mulls_security_tests_of_sohopeless_routers/ Having a large pool of known good primes would be easier for them to use I suspect. Sadly we can't let perfect be the enemy of the good, or in this case the "not completely terrible". > > Thanks, > -- > -- Joshua Rogers <https://internot.info/> > > -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ