Hi!
On Sat, May 17, 2008 at 04:18:07PM +0200, ropers wrote:
2008/5/17 Curt Micol [EMAIL PROTECTED]:
http://leaf.dragonflybsd.org/mailarchive/kernel/2008-05/msg00038.html
Here is some more information including a list of keys:
http://metasploit.com/users/hdm/tools/debian-openssl/
Thought I'd share. It's possible I am wrong and this isn't a good
idea, but I can't think of any reason why it isn't.
I can actually think of an entirely theoretical reason why the
exclusion of the affected keys could conceivably, hypothetically be
considered to be disadvantageous: It reduces the key space; i.e.
future attackers of systems that have blacklisted these keys might
know that they have a few less combinations to try.
It excludes 32k or 64k possibilities out of *how many*? Frankly, how
many 512 or even more bit primes numbers are there? (You generate two
roughly 512 bit primes for a 1024 bit RSA key, that's the main grounds
for the key space of 1024 RSA keys.)
See
http://en.wikipedia.org/wiki/Prime_number#Counting_the_number_of_prime_numbers_below_a_given_number
for a basic reference on that question: The *rough* estimate is, the
number of prime numbers below n is roughly n/ln n. So the number of 512
bit prime numbers is roughly (2^512 / ln 2^512) - (2^511 / ln 2^511).
The base 2 logarithm of that, according to bc, is about 502. So we have
about 502 bits of entropy to spend on *one* of the primes. If we exclude
2^16 of them, so what? Even if we excluded 2^501 of them, we'd still
have 501 bits of entropy left.
[...]
Kind regards,
Hannah.
