Hats off—once again—to HD Moore of Metasploit fame for exposing a serious weakness introduced into the Debian distribution of OpenSSL in September 2006.

As Moore explains it, the problem began when the team addressed a different potential vulnerability having to do with uninitialized data. To fix it, they removed one line of code. Moore shows how this had "...the side effect of crippling the seeding process for the OpenSSL PRNG." (PRNG is pseudo-random number generator.) It removed substantial randomness from the seed for the PRNG, leaving the process ID, which maxes out at 32,768, as the only input.

This allowed Moore to pre-generate all the possible 32768 keys and do a brute-force attack. The fact that OpenSSL uses 1024-bit or larger keys didn't matter, because the randomness in them had been so greatly diminished. Moore was able to generate all the 1024-bit DSA and 2048-bit RSA keys for an SSH account in a couple of hours on 31 2.33GHz Xeon cores, and he has published them.

The ISC also makes the point that to fix the damage caused by this problem you don't just update your software, you have to recreate certificates, get them signed again, and reencrypt. Other Debian-based distributions, such as Ubuntu, are also affected; in fact, Moore has published all the keys for the Ubuntu root file system. The ISC recommends that you monitor your logs for evidence of brute force password log-ins.It also points out that Web site certificates generated with Debian have a huge problem because the public key is public; in such cases, it doesn't even have to brute-force you since Moore has done all the work already.

Debian has published a tool to detect such weak keys. Engineers at the German company Cynops tested public keys at all the major certificate authorities and found none affected.