/debianopenssl

Private keys vulnerable to Debian OpenSSL bug (CVE-2008-0166)

Creative Commons Zero v1.0 UniversalCC0-1.0

debianopenssl

Private keys vulnerable to Debian OpenSSL bug (CVE-2008-0166)

In 2008 a bug in Debian's and Ubuntu's OpenSSL package led to predictable private keys. While the number of keys is limited, it takes a few considerations to create a proper list of all plausibly affected keys. This repository contains the keys used for the blocklist in the badkeys tool.

Notes about the Debian OpenSSL bug:

  • The keys depend on the process ID (PID). Valid PIDs range from 0 to 32767. Keys created with PID 0 are unlikely, but they are included. On 64 bit plattforms, it is possible to configure the kernel to allow larger PIDs, but this is unlikely.
  • Keys from the openssl command line tool and OpenSSH's ssh-keygen are different.
  • Keys generated with openssl's genrsa and req commands are the same.
  • openssl creates different keys depending on whether a file .rnd is present or absent in the home dir.
  • Without the .rnd file older (e.g. 0.9.8c from etch) and newer (e.g. 0.9.8g from lenny) openssl versions produce different keys.
  • ssh-keygen does not create 512 bit RSA keys (768 is the minimum size).
  • openssl supports changing the exponent value to 3, but this does not change the modulus. Therefore only keys with the default exponent value are included. When creating a blocklist, it is therefore recommended to check the modulus and not the full key.
  • ssh-keygen only supports DSA keys with 1024 bit size.
  • Generating DSA keys with openssl is a two-step process (first generating parameters, then the key), therefore the number of possible keys is much larger. They are not considered here as using DSA keys in SSL/TLS was never common.
  • Keys created on the big endian architectures PowerPC, SPARC, and HPPA are identical.
  • Keys created on MIPS are different. However, given the rare use of that platform, they are not considered.
  • Elliptic curve / ECDSA keys are supported by openssl, but not by openssh. A large number of possible curves are supported, but only the NIST P-256 and P-384 curves are commonly in use in TLS certificates.

This repo currently includes:

  • RSA keys with 1024, 2048, 3072, and 4096 bit.
  • DSA keys with 1024 bit (only openssh).
  • ECDSA keys with the P-256 and P-384 curves (only openssl).
  • Created with PIDs from 0 to 32767.
  • Keys created with both openssl and ssh-keygen (dirs ssl/ssh).
  • Keys created on little endian 32 bit (x86) and 64 bit (amd64) architectures and common big endian 32 bit (PowerPC/SPARC/HPPA) architectures.
  • All three openssl variations (with/without .rnd, old/new versions).

It does not include unusual key sizes, nonstandard PID values, nonstandard exponent values, keys created on MIPS, or DSA keys created with openssl.

The directory structure is:

rsa2048
 ssl
  le32
   $pid-rnd.key
   $pid-nornd-old.key
   $pid-nornd-new.key
  le64...
  be32...
 ssh
  le32
   $pid.key
  le64...
  be32...
rsa...
dsa1024
 ssh
  ...
ecp256
 ssl
  ...

links