Linux RNG Fail, Facebook Fake Clear, SQL Concurrency
What is the details of Linux RNG Fail? Does this mean that PGP keys generated on a linux system years ago is pwned? How can I test my key? And assuming the OS is still intact exactly the way it was when key was generated, how can this be checked if affected?
On Sun, May 6, 2018 at 9:18 PM, CANNON <cannon@cannon-ciota.info> wrote:
What is the details of Linux RNG Fail?
https://bugs.chromium.org/p/project-zero/issues/detail?id=1559 Which takes you to a pile of commits on kernel.org. There also be a CVE-2018-1108.
Does this mean that PGP keys generated on a linux system years ago is pwned?
Most of the recent RNG bugs seem to have been bootup and blocking issues. The further back, the more bugs might apply, including RNG choices themselves.
How can I test my key?
Maybe search for some weak pgp key test tools. But 'years ago' says 'test for what' exactly. Just migrate to new key, quit using the old key. Make a new one, on a current OS release, after the box being on and used for a few hours. Then figure if a compromise still matters. Analyzing that could be hard / time consuming / expensive / private.
And assuming the OS is still intact exactly the way it was when key was generated, how can this be checked if affected?
Find its exact kernel commit / version, then search the entire commit history since then for stuff like rng random number generator /dev/random /dev/urandom and see what it says. See what the OS vendor update notes say. Same for gnupg and any other parts of the whole stack. Better to just stay up to date, revoke keys on a schedule, and defend in depth. Without use case, no one can help much.
Thanks for the informative response. Although I'd rather not revoke my key as I created it with intent of it being my long term key to be used for historical reference, I shall inquire further into this matter starting with your suggestions of further research.
participants (2)
-
CANNON -
grarpamp