[cryptography] Duplicate primes in lots of RSA moduli

ianG iang at iang.org
Tue Feb 21 07:57:44 EST 2012

On 21/02/12 04:22 AM, Thierry Moreau wrote:
> Ben Laurie wrote:
>>> On Sun, Feb 19, 2012 at 05:57:37PM +0000, Ben Laurie wrote:
>>>> In any case, I think the design of urandom in Linux is flawed and
>>>> should be fixed.
>> In FreeBSD random (and hence urandom) blocks at startup, but never again.
> The mental model for authentication key generation operation should
> reflect the fact that "it requires the computer to roll dice very
> secretly for your protection, but the computer is very poor at this type
> of dice rolling -- it may thus take time and/or require you to input
> anything on the keyboard/mouse/touchscreen until adequate dice shaking
> simulation has been achieved".
> If security experts are not prepared to face this fact -- true random
> data collection and associated entropy assessment can not be made
> intrinsic to a computer system -- we are unjustified to expect OS
> suppliers to provide a magic fix, or software developers to take the
> liberty to solve an issue which is seldom stated.

I think I agree.  I'd characterise it as like this:  if you don't care 
that much, it's good enough.  If you care an awful lot, you have to do 
it yourself anyway.  The solutions out there seem aligned with that 
needs curve.

> In this perspective, the root cause for the RSA modulus GCD findings is
> the security experts inability to recognize and follow-up the
> ever-present challenges of secret random data generation. As such, the
> Linux design is seldom at stake.

Yeah.  There is an inability on the part of some security people and all 
the media to accept that some designers have accepted a risk rather than 
stomp it dead.


More information about the cryptography mailing list