SSH DSA logins on crank.

Tue May 20 09:50:36 EDT 2008

Hi,

On 20.05.2008 14:30, Holger Levsen wrote:
> On Tuesday 20 May 2008 14:13, Carl-Daniel Hailfinger wrote:
>   
>>> Not by copying to, but by using with, yes, unfortunatly.
>>>       
>> Sorry, "using with" is very imprecise language and leads many people to
>> the wrong conclusion.
>>     
>
> If you think that "using" was confusing here, you should probably also remove 
> the confusion by suggesting a better word. I still think "using" is correct 
> here.
>
>   
>>> Read http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html -
>>> in short, if the randomness is not really random, DSA can be attacked
>>> rather easily. That's why debian.org and freedesktop.org don't allow DSA
>>> keys at all anymore.
>>>       
>> Everybody points to the blog entry, but nobody seems to read it. The
>> entry states that if you used the private DSA key on a Debian/Ubuntu
>> machine for login to another machine, it might be compromised. 
>>     
>
> You haven't understood the entry.
>   

I claim you didn't understand.

> Let me quote the relevant bit:
>
> "For instance, Applied Cryptography (Schneier) says (thanks to Peter Palfrader 
> for digging up the quote): Each signature requires a new value of k, and that 
> value most be chosen randomly. If Eve ever recovers a k that Alice used to 
> sign a message, perhaps by exploiting some properties of the random number 
> generator that generated k, she can recover Alice's private key, x. If Ever 
> ever gets two messages signed using the same k, even if she doesn't know what 
> it is, she can recover x. And with x, Eve can generate undetectable forgeries 
> of Alice's signature. In any implementation of the DSA a good random-number 
> generateor is essential to the system's security."
>   

Right, the random number generator on the sender side (the one where the
private key is stored) generates k. The random number generator on the
receiver side doesn't even appear in signature generation..

>> Short version: The
>> combination of bad random numbers and a private DSA key on the same
>> machine is harmful.
>>     
>
> Wrong, also the combination of a bad random numbers and a public DSA key has 
> to be considered harmful. If someone sniffed your traffic (which you have to 
> consider), you have to consider your DSA keys to be compromised.
>   

Recovering k is harmful. k is generated by the machine where the private
key is stored.

Please tell me where exactly you see the random number generator of the
destination host to have any influence on generation of k.

If k were generated by the receiving host, Bob would always be able to
recover Alice's private key and we'd call DSA a symmetric key algorithm,
not a public/private key algorithm.

Regards,
Carl-Daniel