git.freedesktop.org IP change?

Matthias Hopf mhopf at suse.de
Fri May 16 11:56:13 PDT 2008


On May 16, 08 10:03:46 -0700, Dan Nicholson wrote:
> >> > > Everybody running Debian, strictly speaking.
> >> > > Other distros are not affected IIRC.
> >> >
> >> > Other non-debian based distros are not affected, but DSA keys can be,
> >> > even if they were generated on other systems: if a DSA key was used to
> >> > authenticate against a vulnerable (thus potentially compromised) server,
> >> > this key should be considered as compromised too.

According to the description Daniel posted, you have to *sign* something
on a *vulnerable* system in order to compromise your private key. And
the attacker has to know the signature and your public key.

For authentication signing is used, but the signed message and the
signature are typically never stored anywhere.

So if you never used your DSA keys to log into some other computer
*from* a vulnerable system (that has access to your private key), they
are still safe. Also, they are safe if you're sure that there was no
man-in-the-middle attack at that time and the host you're connecting to
is safe as well.


Read: if all systems that have access to your private keys haven't been
vulnerable, your keys are safe. In many other cases they are safe as
well.

Also read: if the private key has been created on a vulnerable system,
it is never safe. But that was known already.


This goes with the typical disclaimer, it's what I understood from a
short read of the articles.

I'm also unsure about RSA, but AFAIR you cannot easily guess from the
signature and the public key your private key, AFAIR there is never a
random number involved in RSA signatures.

CU

Matthias

-- 
Matthias Hopf <mhopf at suse.de>      __        __   __
Maxfeldstr. 5 / 90409 Nuernberg   (_   | |  (_   |__          mat at mshopf.de
Phone +49-911-74053-715           __)  |_|  __)  |__  R & D   www.mshopf.de



More information about the xorg mailing list