Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”


  • Please log in to reply
No replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:07 PM

Posted 15 July 2014 - 04:59 PM

 

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers. When done correctly, the pool of numbers supplied is so vast that the output will almost never be repeated in subsequent requests, and there should be no way for adversaries to accurately predict which numbers are more likely than others to be chosen. Generators that don't produce an extremely large pool of truly random numbers can undermine an otherwise robust encryption scheme. The Dual EC_DRBG influenced by the National Security Agency and used by default in RSA's BSAFE toolkit, for instance, is reportedly so predictable that it can undermine the security of applications that rely on it.

 

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users