Predictable RNG in the Vulnerable Debian OpenSSL Package, the What and the How

Presented at DEF CON 16 (2008), Aug. 9, 2008, 1 p.m. (50 minutes)

Recently, the Debian project announced an OpenSSL package vulnerability which they had been distributing for the last two years. This bug makes the PRNG predictable, affecting the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn). We will talk about this bug, its discovery and publication, its consequences, and exploitation. As well, we will demonstrate some exploitation tools.

Presenters:

• Maximiliano Bertacchini - Researcher, CITEFA/Si6
  Maximiliano Bertacchini is a PhD student in Computer Engineering at ITBA (Technological Institute of Buenos Aires). He is a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina.
• Luciano Bello - Engineer (Information Systems),CITEFA/Si6
  Luciano Bello is an Engineer (Information Systems) and works as a researcher at CITEFA's Si6 Information Security Labs in Buenos Aires, Argentina. He has been a Debian Developer since 2007.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Bello
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Bello and Bertacchini - Predictable RNG - Video.mp4
• https://www.youtube.com/watch?v=odNNmL42WMQ

Similar Presentations:

• ToorCon San Diego 17 (2015) / Improving OpenSSL Performance
• The Last HOPE (2008) / Crippling Crypto: The Debian OpenSSL Debacle