research!rsc: Lessons from the Debian/OpenSSL Fiasco

Last week, Debian announced that in September 2006 they accidentally broke the OpenSSL pseudo-random number generator while trying to silence a Valgrind warning. One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys.Many people have had fingers pointed at them, but it is not really interesting who made the mistake: everyone makes mistakes. What's interesting is the situation that encouraged making the mistake and that made it possible not to notice it for almost two years.To do that, you have to understand the code involved and the details of the bug; those require understanding a little bit about entropy and random number generators.

research!rsc: Lessons from the Debian/OpenSSL Fiasco

Blogged with the Flock Browser