Crippling Crypto: The Debian OpenSSL Debacle

Presented at The Last HOPE (2008), July 19, 2008, noon (60 minutes).

In May 2008, a weakness in Debian was discovered which makes cryptographic keys predictable. A Debian-specific patch to OpenSSL broke the pseudo-random number generator two years ago, which led to guessable SSL and SSH keys. The vulnerability allows for impersonation of secure servers, as well as the potential to login to SSH secured systems. Since many popular derivatives like Ubuntu and Xandros are affected, the weak keys are found all over the Internet. The panel will present their approach to generating lists of weak keys using cloud computing and explain how they collected large numbers of SSL certificates of which several thousand are weak.


Presenters:

  • Jacob Appelbaum
    Jacob Appelbaum is a world traveler, photographer, Unix computer user, and �cold boot ninja.�
  • Dino Dai Zovi
    Dino Dai Zovi is an information security professional and independent security researcher. He has presented his research on hardware virtualization rootkits, 802.11 wireless client security, and exploitation techniques at BlackHat, CanSecWest, Microsoft's BlueHat Security Briefings, and Defcon. He is best known for discovering and exploiting a vulnerability in Apple QuickTime to break into a fully patched Macbook Pro at the PWN2OWN contest at CanSecWest 2007.
  • Karsten Nohl
    Karsten Nohl hacks hardware with folks at CCC and some of the Shmoos. He is currently finishing his PhD at UVA where his research bridges theoretical cryptography and hardware implementation. Some of his current projects deal with RFID crypto, privacy protection, and the value of information.

Links:

Similar Presentations: