[cryptography] Duplicate primes in lots of RSA moduli

Paul Hoffman paul.hoffman at vpnc.org
Mon Feb 20 12:53:16 EST 2012

On Feb 20, 2012, at 9:22 AM, Thierry Moreau wrote:

> First, let me put aside the initial entropy assessment issue -- it's not solvable without delving into the details, and let me assume the freebsd entropy collection is good, at the possible cost of slowing down the boot process.

But that is central to this thread.

FreeBSD doesn't block on first boot because it doesn't create SSH keys on first boot. The security team decided long ago that good security that system administrators could not screw up was of high priority. Thus, FreeBSD doesn't come with SSH installed; it has to be installed after installation. This has two big security wins:

- There is no chance that the OpenSSH version that is part of the distro has a bug that was later fixed because there is no OpenSSH version in the distro

- The act of first booting and then pulling down things like OpenSSH gives the entropy pool a chance to grow to a sufficient size to create good keys

> So, the freebsd design appears reasonable to me. Can it be brought into Linux? Is it a Linux design flaw to omit boot-time entropy assessment?

Different Linux distros make different choices. Linux is an operating system, not a distribution. FreeBSD is a distribution.

> My answers are "only as an option" and "no".

Given the above, I suggest that both of your answers are wrong. Even if a distro creator wants to include an ssh server as part of the distro, it is obviously dangerous to generate keys immediately on the first boot. The only possible reason to do so is so that the installer can immediately log in over SSH, but without knowing the actual keys being created. That is possibly tolerable on a network where there is no possible MITM, but is otherwise piss-poor security.

A trivial way around the problem, even if you want to include an ssh server as part of the distro, is to not start ssh server in the first boot but to include a program that will install it later. The program that creates the ssh keys could check for /dev/random being blocked and, if it is, let the operator type a bunch of stuff that would unblock it.

--Paul Hoffman

More information about the cryptography mailing list