OpenSSL PRNG

Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
Thu Jul 12 05:59:08 EST 2001


On Wed, Jul 11, 2001 at 06:29:50PM +0100, J.S.Peatfield at damtp.cam.ac.uk wrote:
> Just for peace of mind, can someone who knows the openssh code better than
> I do, confirm that openssh doesn't use (in any circumstances) the openssl
> prng (since the code in versions prior to 0.9.6b is rather weak).
> 
> My understanding is that it doesn't (using either /dev/random, egd, prngd or
> the builtin code), but I may have missed some other use of the openssl prng
> elsewhere...

Nobody of the OpenSSH team did speak up until know. Probably they are busy
checking things out :-)

OpenSSH does use the cryptographic routines of OpenSSL so it also uses
the OpenSSL PRNG. /dev/random etc are used as sources to seed this internal
PRNG.

Now for the weakness: due to the way the "random bytes" were retrieved,
an attacker might have accessed the internal state of the PRNG and starting
from that point predict new random numbers.
For this to work, the attacker would need to retrieve "random bytes" bytes
in very small chunks (down to 1 byte) and he would need 1024bytes of it.
(Technical details are in the Announcement.)

Any protocol, that does only retrieve random bytes in larger quantities
is not vulnerable. Therefore programs using the SSL layer of OpenSSL
are not vulnerable, as session keys, session ids etc all are built from
larger numbers of random bytes. As new keys are generated for each session,
the pool will be mixed in between and therefore even if an attacker could
get the one single byte in each attempt, it would not help him due to
the mixing.

I did not analyze the SSH protocol into detail, but I as far as I see
keys are always generated with a certain minimum length, effectively
preventing the problem. Additionally: for each new connection, a new ssh
process is started (having its own entropy pool) or sshd spawned (with entropy
pool being different, as the pid is mixed in).
sshd is reseeded in between, also an effective counter measure.

Not officially speaking for the OpenSSL TEAM. For the official statement,
please read the announcement that was agreed upon before :-)
In the announcement we wrote:
"No applications is known to us which is actually vulnerable."
And we meant it that way, seriously. I do use OpenSSH. Probably most 
of the OpenSSL team members do use OpenSSH. Maybe all use it :-)
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153



More information about the openssh-unix-dev mailing list