STDOUT

Debian OpenSSH key weakness FAQ

Fr, 16 Mai 2008 02:11:34 +0200

A lot of confusion has turned up about the OpenSSL insecure PRNG vulnerability in Debian and related systems. This is an attempt to clear these up.

Which distributions were affected?

All distributions which pulled their OpenSSL changes directly from Debian. Those are namely:

Debian Etch and Lenny, Ubuntu/Kubuntu/Xubuntu and related, grml, Knoppix and all living customizations and Univention UCS 2.0. Other Linux distributions may also be affected.

Known not to be affected are: Fedora, Debian Sarge, NetBSD, OpenBSD, FreeBSD, DragonFlyBSD, MirBSD, Gentoo Linux, Univention UCS 1.x, Red Hat Enterprise Linux, OpenSuSE, SuSE Linux Enterprise, CentOS, pfSense, m0n0wall, Sun Solaris 10 and prior and OpenSolaris.

What exactly is the problem?

Due to a slightly misguided valgrind warning patch, the only “random” element used in key generation and other random number generation processes by Debian was the process ID. Since typical process IDs under Linux range from 0 to 65'535, there were only 65'536 possible different keys generated by the OpenSSL toolchain, also including SSH.

This means specificially that an attacker needs only 65'536 attempts to bruteforce a key generated by any Debian tool during this period of time. The impact of this depends on the usage of the key: for SSH user keys, it means that an attacker can impersonate the affected user and log in as the affected user to any system where the key is in the authorized_keys file. For keys used for certification and encryption, such as SSH host keys and SSL certificates, an attacker can impersonate the affected SSH or web server, and can potentially read currently running and recorded sessions, depending on the procedure used for session key establishment.

How can I figure out if my key was affected?

Debian and Ubuntu have released tools for key analysis which scan for patterns of the vulnerable keys by connecting to named hosts and looking into user's home directories for authorized_keys files which contain the patterns. An updated version of OpenSSH for Debian and Ubuntu now ships with a tool to automatically discover and refuse the vulnerable keys.

My key is affected – what should I do?

The first point is of course to immediately update the affected packages if you use a Debian derived system. Then, generate new SSH keys and replace them on all systems where your old SSH keys are located. Replace them as well on the servers of this nasty customer who left for the concurrence – imagine what would happen if he found out that you left a vulnerable SSH key on his host and that his host was compromitted by your negligence.

All affected OpenSSL certificates should also be revoked immediately. Generate new certificates and let them be signed and re-issued through your CA. Commercial CAs should let you reissue the certificate with the same Subject until the end of the certification period you paid up to. Please note that revokation is a critical step here, otherwise people might still impersonate your old certificate which might, after all, still be valid.

Then make sure your infrastructure was not taken over by botnets through an insecure SSH key. Check for rootkits as well while you're at it. If your log host is affected, tough luck.

How urgent is this? Will I have to act immediately?

Yes, this item requires your immediate attention as there are already botnets out there which search for accounts with vulnerable SSH keys. The question is not “Does someone care about me little Internet user?” — these bots are out to compromise hosts and to send SPAM and malware to other hosts. They don't care if you are an attractive target, they attack anything they can find and try to send SPAM with it.

I have put my securely generated private SSH user key onto a Debian system. Should I replace it?

Yes. On a Debian system, your private key was not safe during the last 2 years. The system may have been compromitted during that time, or someone may even only have been eavesdropping your communication and have gained knowledge about your SSH key. You should definitely consider it compromitted.

I have put my securely generated public SSH user key onto a Debian system. Should I replace it?

This depends. If your key is an RSA key, it is not compromitted simply by putting the public key onto a server and authenticating against it. The SSH 2.0 protocol, as described in RFCs 4252 and 4253, part of the token being signed as challenge by the user is the “session identifier”, which is a hash from the key exchange. This effectively prevents replay attacks of authentication processes done using a non-vulnerable SSH key, because the random material used as challenge is not only controlled by the vulnerable SSH host, but also by the non-vulnerable client. Thus, the data your SSH key has to sign as a challenge is not vulnerable to the weak PRNG of the SSH server, and thus cannot compromise your key.

This is however not true for DSA keys. DSA has a weakness when used in the Diffie-Hellmann key exchange process, rendering it basically uneffective. If the attacker gets hold of the random number used by the Debian SSH server in the key exchange process, this can be used to calculate the private DSA key from the public key with a complexity of 2¹⁶, being 65'536.

Summary

Change any key pair generated using an affected version of the pseudo-random number generator. This applies both to the user and host SSH keys, and is of course also valid for certificates.
If you have used a DSA key or certificate on a host affected by the vulnerability, it must be regenerated.
Assume that all data read from and written to a vulnerable machine may be intercepted and/or tampered with, like if no crypto layer had been applied in the first place.
RSA keys used to authenticate to vulnerable hosts are secure.

Acknowledgements

Special thanks for this goes to Steven M. Bellovin, who took the time to go through an analysis of this entire process with me and to clear up my misunderstandings about the OpenSSH challenge-response procedure.

(Original source)

Blind trust in valgrind - the Debian OpenSSL vulnerability

Di, 13 Mai 2008 22:52:22 +0200

The big run on valgrind way back in 2005 to 2006 has already demanded its first prominent victim: the OpenSSL implementation shipped with Debian.

Way back in May 2006, one of the Debian developers ran valgrind on OpenSSL in an attempt to make it more secure. Along the findings of valgrind was an uninitialized buffer named buf in the ssleay_rand_add function in openssl/crypto/rand/md_rand.c. The programmer simply commented out the MD_Update call which added the random data to the pool in order to fix the presumed flaw.

This blind patch was not exactly the correct thing to do. The data contained in buf was exactly the random pool initialization data, which was now no longer being added.

Apparently, the OpenSSL team also had its part in this game though. The Debian developer sent the patch upstream, and it was approved for debugging purposes by the OpenSSL team. Apparently, this was slightly misunderstood by the Debian developer, so he committed the now-defunct MD based PRNG into the Debian codebase.

According to the audit trail of the corresponding Debian bug, the Debian SSL team approved the patch and released a “fixed” package in May 2006.

The impact

As soon as the new OpenSSL release was deployed, the Debian users would now create keys using an MD as pseudo random number generator with hardly any modifications in the randon pool. As a short explanation to non-cryptographers: it was not really random.

The Debian Security team then discovered certain patterns which would emerge magically in most of their SSH and SSL keys, as well as keys from all other products which were based on OpenSSL. After several days if not weeks of analysis, the culprit had been tracked down to be that precise valgrind-triggered change.

The effect of this could be observed in the past couple of days by close followers of the Debian community. All of a sudden, the web certificates changed, all authorized_keys files were removed from the project servers, and some SSH host keys had changed, even though non of them had expired. This confused the Debian community very much, and was perceived as “A large security incident immediately ahead”.

With the release of the Debian Security Advisory today, this expectation was finally fulfilled, and the incident was indeed a major one: users were asked to regenerate all OpenSSL generated cryptographic keys since May 2006. A script was released to detect and warn about common patterns(!) in the various key files.

Lessons learned

There are certainly various lessons to be learned from this, both on the cryptographic, the programming and the practical side.

Don't blindly trust valgrind's output.
This has been repeated over and over again. If valgrind finds a presumed flaw in your code, it does not necessarily mean it is really a flaw. It must be investigated very thoroughly by the programmer, and not patched away lightly just because it's there.
Cryptography may be counter intuitive to a programmer.
I personally can't stop repeating this. What might appear as a runtime optimization to a programmer can indeed be a timing based information disclosure on the cryptographic level, and what might look like an uninitialized variable might actually not want to be zeroed out.
This is also an argument against GnuTLS I keep repeating. Cryptography is not something which can be handled just like that by any good programmer. One needs at least a diploma in maths and programming plus be a very focused computer geek and close follower of the cryptographic community to even be able to touch cryptographic products successfully. This is the reason why I have major concerns with the GNU community rewriting an SSL implementation from scratch just because they do not like the OpenSSL license.
A diversification of infrastructures may be useful at times.
This might be a bit counter-intuitive to those who followed the argument from the last paragraph, but the sole reason why the chain of trust did not break for the Debian team was that besides their working OpenSSL PKI, they also had a working, trusted and distributed GnuPG PKI. Thus, even though all OpenSSL keys were compromitted, the GnuPG keys could still be used to verify the origin of various security credentials and to verify that the new key material et cetera was indeed originating from the Debian project.

That said, I would like to proudly add that neither the NetBSD base nor the pkgsrc version of OpenSSL are affected by this bug.

Audit trail

22:20: Added more precise information on what keys and certificates changed
23:25: Added reference to what exactly happened to get the patch approved

(Original source)

OSS Jam Reloaded in Zurich

So, 17 Feb 2008 02:25:55 +0100

After the success of the first OSS jam, Google invites people to a second round in its new Zurich office on February 28th, 2008. Once again, participants are invited to present their projects in a short 5-minute time frame, trying to find future project contributers.

This time, a topic has been set for submissions: «The desktop in the past, present and future». People who are seeking for participation in their desktop projects are invited to present them at the jam.

OSS Jam and Google

The question is of course how this fits into Google's search engine business. To this question, there are two different, unrelated answers.

Firstly, Google has extended its scope beyond search engines quite some time ago. Like Yahoo delivered widgets for web applications, Google also delivered the Google Widget Toolkit for Java web applications and similar products, and is expanding its scope to Open Source and the community.

Secondly, Google's OSS Jam provides the Open Source community with ways to find new participants for their projects, and as such, there is a philosophical relation to the search business.

Either way, it is going to be interesting to watch the future development of this tradition.

For more information please visit Google's Open Source Jam information site.

European Union and the Lisbon Treaty: the birth of a new country

Mo, 17 Dez 2007 01:34:01 +0100

On December 13th, 2007, exactly 26 years after Poland called for martial law in 1981 in order to gain back control over the opposition, the European Union members have signed a treaty which became known as the Lisbon Treaty of 2007. This treaty practically establishes the European Union as a state of its own, along with a new constitution.

Most of the flaws which have been pointed out in the EU Constitution are also present in the Lisbon Treaty, but have not been addressed yet. As an example, the Lisbon Treaty contains provisions that the EU may go to war while individual member states may «constructively abstain» – thus being practically incapable of preventing having to go to war.

The Brussels Journal has an analysis of the contract by Professor Anthony Coughlan which enumerates 10 major changes the contract is making (while surely going too far to the Eurosceptic direction in suggesting that the harmonization effort in itself is wrong).

It establishes a legally new European Union in the constitutional form of a supranational European State.
It empowers this new European Union to act as a State vis-a-vis other States and its own citizens.
It makes all citizens of European member states also citizens of this new European Union.
The same name «European Union» will be kept while the Lisbon Treaty changes fundamentally the legal and constitutional nature of the Union.
It creates a Union Parliament for the Union's new citizens.
It creates a Cabinet Government of the new Union.
It creates a new Union political President.
It creates a civil rights code for the new Union's citizens.
It makes national Parliaments subordinate to the new Union.
It gives the new Union self-empowerment powers.

While the establishment of an European state is certainly a long-term goal to aim for, some elements of this treaty are still not acceptable. The current contract still contains some provisions which are not adequate for the constitution, and should be refined to meet the high democratic standards set by the member states.

The military cooperation charter a rather unfortunate chapter, remembering the controversy of the war against Iraq, which Germany and France chose to abstain. Would such a situation take place in the future, then Germany and France might be forced to participate in the war. This is of course one of the consequences of the harmonization process, but there should be provisions declaring that an unanimous decision is required in order to go to war – the only way to really justify it. An exception would of course be when an aggression against a member state has to be encountered.

This looks like yet another treaty which has not been balanced properly beforehand and needs a lot of further work before it will be adequate for the reason it was intended to.

Amazon One-Click Patent invalidated

Di, 11 Dez 2007 19:34:43 +0100

After a long work in that area, the Foundation for a Free Information Infrastructure (FFII) has finally succeeded to get a court to invalidate Amazon's One-Click Patent.

In the press release, the FFII representatives explain how the patent has been invalidated in two steps: first, the current claims were invalidated on the basis of lack of an inventive step, thus allowing Amazon to postulate new claims. However, these claims were dismissed as an infringement of Art. 123 EPC, revoking the patent in its entirety.

The entire debate is a clear sign that clarification of the EPC provisions would improve the situation of legal uncertainty which we're currently suffering.

Germany wants stronger age verifications and bans on foreign providers

So, 09 Dez 2007 14:18:37 +0100

The German Federal Court of Justice has decided in case Az. I ZR 102/05 that even stronger age verification mechanisms are required for providing access to adult content on the Internet. According to the Federal Court, the current practice of verification of ID card numbers and bank accounts are not sufficient, because any minor could gain access to this information easily.

The court proposes a verification process which involves the local postal delivery services. The deliverer is supposed to verify the age of the future web site user in an eye-to-eye process.

For the various providers of adult content which are not subject to German law, the Federal Court sees the Internet Service Providers in the responsibility to block the web sites in question.

Germany: Data Retention only until the end of the contract

So, 09 Dez 2007 14:13:58 +0100

In case Az. 5 C314/06 against the Federal Ministry of Justice, the District Court of Berlin Central has decided that all retained data must be deleted by the end of the contract with the customer. According to the judges, retention of data even beyond the contract period is a violation of the right to informational self-determination.

OpenISO website launched

Do, 06 Dez 2007 20:07:47 +0100

Starting from today, there is a new standardization organization doing its work in this world. It is known under the name OpenISO, and is an organization created by Norbert Bollow (who some of us might remember from thankpoland.info).

OpenISO is an organization which set out to create truly open standards, not based on a reasonable and not discriminatory (RAND) basis. OpenISO wants all information required to implement its standards to be free, so everyone can freely develop competing poducts that implement its standards.

So far, OpenISO has released a number of standards in the network area (such as the telnet protocol), and is now aiming at ECMA 376 in a Call for Participation.

EU-EPLA: Zypries and her Technical Judges against the principles of Democracy

Di, 04 Dez 2007 00:33:23 +0100

After the death of the European Patent Litigation Agreement (EPLA) as an international treaty, EU-EPLA has been introduced, promising the same undesirable litigation to only the European Union. The core of the proposal is the creation of an European Judge Academy and a specialized Patent Court under the pillar of the European Court of Justice (ECJ).

Brigitte Zypries, the German minister of Justice, wants this court not to be lead by regularly appointed judges, but by so-called technical experts. She promises better examination of the technical substance of the patents in corresponding processes. These technical experts are basically just another name for Patent Agents who have passed the Judge Academy. But what are those Patent Agents anyway?

The Patent Agents

A while ago, the European Patent Office (EPO) created a new class of working men called patent agents. These patent agents act as “technical experts” (Zypries definition) in lawsuits where a patent is challenged, and provide their expertise to the judge in trying to assess the validity of a given patent.

So what does it take to become a Patent Agent? The straightest way to find out is to apply as a Patent Agent to the European Patent Office. The response from the EPO is short and clear: all that is required is a degree in a field of Engineering. Law degrees are not required, since Patent Agents are currently only functioning as experts in court cases, and thus competence in legal questions is not a criterion.

This renders the whole idea quite absurd to send these patent professionals to a Judge Academy for some short period of time and to appoint them as judges who have to make legally valid decisions. A large number of legislations even require judges to have a law degree. A patent professional cannot be expected to make legally intelligent decisions.

Still no Division of Powers at EPO

But the problem in terms of legal issues goes even further. Currently, the EPO is one of the few international agencies which does not adhere at all to the principles of Division of Powers. Patents are granted by the EPO, which constitutes the legislative branch, and part of the enforcement process is also going through the EPO, which is the executive branch.

If EPO-educated Patent Agents are now entering the judicative branch, this means that this branch is also going to be under control of the European Patent Office. This means that the third pilar of a democratic society, the judicative branch, is going to be held by the same organization which holds the legislative and executive branch. This constitution of powers should be considered highly undemocratic, as the Division of Powers is one of the main principles of a democratic society.

There is no problem with Patent Agents as experts to judges which provide them with facts about the assessed validity of the patent in question (Well, it is still a bit problematic since these experts are coming from the same entity which originally granted the patent), but there is a serious problem if one organization gains total power over their entire legislative process.

What must also be considered is that the European Patent Office is not an EU institution, and as such not under democratic control by the European Parliament. This makes the entire constellation even more problematic, since there is basically no democratic body controlling the EPO.

Pseudo Decentralization

Another issue with the proposal is that it introduces some artificial decentralization by establishing local patent courts. The idea is that a number of countries share one patent court, which might give a decentralized impression at first glance but is not decentralized at all on the second. A real decentralized patent court would mean that every country has its own patent court which elects its own set of judges.

In the case of EU-EPLA however, the European Union provides the regional courts with the technical judges, whose identity and meaning has been outlined some paragraphs above. This means that the individual member countries have no control over their local courts.

Dividing and Conquering

The last problem is more on the economic side as well as a problem with harmonization. Currently, there is no clear regulation in the European Union on how to deal with processes where patents are challenged. Thus, there are two different ways to deal with such challenges.

The first way is rather straightforward and is deployed in countries like Sweden. The procedure is rather easy: if the validity of the patent is challenged, then it will have to be decided on during the same process, along with the applicability of the same patent. This means that the plaintiff has to balance the scope of his patent very well because if his claims are too broad, the patent will be invalidated, and if they are too narrow, the patent will simply not be applicable in the proceedings because it will not cover the committed infringement.

However, in Germany and some other countries, a different procedure is in place. This procedure defines that a second process is created, potentially even at a different court. This means that potentially a different judge will be handling the patent validity case. This again means that the plaintiff could assume a very narrow set of claims for the patent validity case, while a very broad set of claims can be used in the applicability question in order to have a very broad infringement of the patent. This is only possible because the two cases are disjunctive.

This is just one more case of harmonization with the hammer. There are clear economic advantages of the first procedure, but nevertheless the second procedure is supposed to be harmonization but without any proper discussion of the issues. With all these problems, it is clear that this proposal is not in the best interest of the member states to accept this proposal. It is desirable that these issues are cleared up before the proposal can be accepted or rejected. Once there is a proposal which adheres to the democratic principles, a pan-european patent agreement is certainly warmly welcome.

IPRED2: A sign of lack of harmonization inside the EU?

Mo, 03 Dez 2007 02:44:34 +0100

History of IPRED2

Back in 2004, the European Commission announced that, following the Intellectual Property Rights Enforcement Directive part 1 (IPRED1), a second part would be released to refine the measures as appropriate. This second part, IPRED2, would be released once IPRED1 would be implemented in the entirety of Europe, and once the experiences of the impact of IPRED1 would have been gathered.

But it appears that the Commission got impatient after this, and IPRED2 was already drafted early in 2005. However, objections had been raised in front of the European Court of Justice (ECJ) as to whether the European Commission had the competence at all to create criminal legislation for the entirety of the European Union. The ECJ decided that the Commission did not have this competence, and sent several legal documents back to the drafting table, including the IPRED2 directive proposal.

Despite the fact that IPRED1 still was not implemented in all member states and no experience had been gathered, the Commission started anew in 2006 with a new IPRED2 draft. This draft is presented to the European Parliament by Rapporteur Nicola Zingaretti, and has passed the European Council as well as the parliamentary expert gremia JURI, ITRE and LIBE and the plenary vote.

However, the law is not final yet. Due to express requests from parliamentarians, the release of the law in the official journal of the European Union, which would make it legally binding, has been postponed, in order to allow the issues which have been raised to be discussed.

Issues with IPRED2

The main problem with IPRED2 is that it is formulated in a way too broad fashion. During the conciliation phase, the legal proposal has already been improved in some way, but the problems remain: IPRED2 imposes criminal sanctions on undisclosed infringements on intellectual property rights. The problems with this have been outlined in a FFII paper called “To Lisbon or to Prison” by the FFII.

There is also a detailed analysis of IPRED2 from Vrijschrift.

A sign of lack of harmonization?

IPRED2 is also often referred to as a piece of “Italo-legislation”. This is of course not meant as an insult, but it is a consequence from the fact that the Italian legal system works differently from, for example, the German legal system.

In Italy, legislation is always formulated in a very excessive way and then the jurisdiction sorts out the problems with their judgment on the applicability of the legislation. However, in Germany, what is written in law is always applicable and will be applied, so the impact of such broad formulations will be a lot higher in some European countries than in others.

The only possible interpretation for this problem is that the European Union is not ready yet for legislation of such immense importance. Before criminal sanctions can be harmonized, there must be a common basis for interpretation of the legislation.

OOXML: an obstacle to accessibility?

Sa, 01 Dez 2007 00:36:40 +0100

The Adaptive Technology Resource Center (ATRS) released a list of issues which have been raised in their analysis of the OOXML specification with regard to accessibility.

According to the paper, the standard itself contains a number of questionable regulations which might pose a threat to the ability of the programmer to make the implementing software accessible to disabled people. The main point of criticism is that some proprietary formats have been used in areas where free W3C standards are already in existence and covering the same functionality. However, while the W3C standards have been developed with accessibility in mind, the notion of accessibility is apparently missing entirely from the OOXML standard.

As an example, some of the specifications for insertion of images do not allow for image formats which permit access to disabled users. The ATRS then goes on to demand the revision of these issues. A long list of references to objections regarding accessibility and related issues is referenced at the end of the paper.

Bale (Canton) switches to Linux, PostgreSQL

Fr, 30 Nov 2007 12:46:32 +0100

The department of Military, Police and Justice (JPMD) of Bale (Canton, BL) in Switzerland is after the canton Turgovie (TG) the second cantonal administration to switch to Free Software solutions.

The Central Service for Informatics (ZID) of Bale (Canton), which is responsible for the migration, wants to switch to SuSE Linux Enterprise Server version 10 and PostgreSQL version 8.2. The JPMD is thereby considered as a test platform for the rest of the cantonal administration, which is going to follow the example if considered appropriate.

Both cantons are using the software Fabasoft eGov Suite 7.0, a public services request tracking system not heavily unlike RT but including contact data and document management, which is usable for both Windows and Linux. The software also offers a standardized interface for exchange of data with other public service providers.

For more detailed information, please read the Linuxkommunale article on how Bale (Canton) switches to Free Software.

Gnome goes Mono and jumps into the Patent Trap

Fr, 23 Nov 2007 01:34:51 +0100

A couple of years back, the Gnome desktop environment developers have taken the decision to reengineer the Gnome desktop around the Mono framework. This decision has mainly been influenced by the main Mono developer Miguel de Icaza, who is a very vocal employee of Novell. Recent developments thus request us to recall the pieces of the puzzle in order to understand what might really be going on.

Reasonable doubt has been rased to whether or not Mono can actually be deployed freely. Mono itself is basically a free and halfway portable implementation of the .NET framework developed by Microsoft. However, the .NET framework itself is subject to a large amount of software patents, which cover the concepts used within the .NET framework. Since these are concepts and not individual implementations (which are covered by Copyright, which is certainly untouched by a reimplementation), they most likely also apply to the Mono framework.

To Novell itself, Icazas employer, this is not a significant problem, since Novell has closed a patent deal with Microsoft not so long ago which undoubtedly also covers the .NET patents. However, all conventional Linux and Open Source vendors would not be able to distribute Gnome as it would be covered by the .NET patents Microsoft owns.

This amounts to an easy way for Novell to effectively lock in Gnome users to their own products. Gnome would no longer be a real Free Software project, even though the code remains freely available. It is expected that this type of patent issues will be raised many times, causing severe damage to the economy with the time. The only way of mitigation will be a transatlantic patent agreement which clarifies Art. 52 EPC: Software is not patentable.

US Aid offering cheap monopolist products to the third world

Fr, 23 Nov 2007 00:37:12 +0100

The U.S. Agency for International Development (US Aid) is offering cheap access to hardware and training curriculae for Microsoft operating systems.

The project in question is a US$236'000.- project to unbind the «Unlimited Potential» of the industries of Sri Lanka which could be enhanced with information technology. It will be executed by Info Share, an NGO which develops IT solutions for NGOs, and Unlimited Potential, a Microsoft welfare organization, whose main purpose is to spread Microsoft in the developing world.

German Police says Good Bye to Microsoft Products

Fr, 23 Nov 2007 00:35:19 +0100

After the German Bundesrechnungshof has released a paper critizising the extensive and expensive use of Windows in public services, the German Police Trade Union has demanded that the failed police software project POLIKS shall be discontinued and all installations of the Windows operating system of Microsoft be replaced with Linux.

Issues with the new system had been raised for a long time already. It takes half an hour and longer to record a single case, which had been done within a couple of minutes using the paper based approach. This half hour is of course time that the person reporting the incident will have to wait. Also, the system has experienced 50 hours of downtime for the year, which is a rather low availability rate as opposed to services normally offered by Open Source systems.

The Police Union representatives suggest that the saved license fees could be used for the christmas gratifications for the police officers.