Le 06/01/2014 20:20, [email protected] a écrit :
Jean-Yves Migeon <[email protected]> wrote:
> And if the attacker can test it remotely, we should be able to
> test it locally with access to the private key, or am I missing
> something?
I do not understand that part -- what do you mean? Collecting entropy
information through side channels like TCP ack/seq numbers, SYN
cookies,
... ?
If the attacker is able to factor a key using knowledge of skewed PRNG,
then we should be able to do the same in order to test key strength.
And
since such a test would ran locally, it could have unlimited access to
crypto generated using the private key.
Disclaimer: not a cryptographer, so you should ask the ones out there
(Colin? :) ).
First things first: having access to the private key will give you all
you need anyway: P, Q (the primes), modulus (N), D (private exponent)
and E (public one, 65537 99% of the time). They are stored with the
private key:
$ openssl rsa -noout -text -in .ssh/id_rsa
The problem gets harder when you did not store P and Q (cipher/decipher
requires only N, D, and E). Getting back P and Q when N, D, E are known
seems non trivial to me (better ask a crypto for this).
A "skewed" PRNG matters when you originally select P and Q: you have to
get them at random, so someone has no way to know which ones are picked
up in a given range ( [2^511, 2^512] for example).
A skewed PRNG will not pick them "randomly". So your attacker will try
to generate primes knowing the weaknesses of your PRNG. That part is
important: you _have_ to know how the PRNG behaves in addition to its
state.
In your case the only way to test the "strength" of your key set is:
- to get P and Q back (easy: see above);
- have a test that verify they are not trivial given the knowledge you
have about the PRNG.
I am not aware of such a test for Lunix's PRNG, even less so for the
NetBSD/FreeBSD one.
--
Jean-Yves Migeon
