On Tue, 20 May 2008, Bernie Innocenti wrote:
Chris Ball wrote:
I've disabled logins with DSA keys on dev.laptop.org. Turns out that
while your RSA key is only vulnerable if *created* on a weak Debian or
Ubuntu machine, your DSA key is vulnerable if *used* on Debian/Ubuntu¹,
due to DSA having a greater reliance on randomness.
Hopefully this doesn't mean that the _private_ DSA key can be
compromised if the _public_ key was copied on a Debian/Ubuntu machine.
If something like this was even possible, as it would make the whole
asymmetrical key scheme rather useless :-)
the argument is that the PRNG used by buggy versions is predictable and so
someone could observe the communication and brute-force attack the
handshake, deciphering the key in the process.
David Lang
_______________________________________________
Devel mailing list
Devel@lists.laptop.org
http://lists.laptop.org/listinfo/devel
