Re: My own e-mail encryption solution
- From: "Joseph Ashwood" <ashwood@xxxxxxx>
- Date: Sun, 18 Jan 2009 17:24:47 -0800
"Boon" <root@localhost> wrote in message news:4973a517$0$11790$426a74cc@xxxxxxxxxxxxxxx
Joseph Ashwood wrote:
With cryptography, the devil is very much in the details. A seemingly innocent thing like making sure the RAM is initialized, Debian learned this the hard way with their OpenSSL.
It is not my understanding that Debian's problem came from not "making sure the RAM is initialized".
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html
It is quite useful to go to the original source of the bug and the fix.
The problem came when Purify and valgrind was run against the code. Purify/valgrind detected that memory was being used prior to initialization (apparently openssl has a few thousand of these "errors"). The "fix" was to initialize the code that Purify/valgrind highlighted, the initialization led to the entropy pool remaining almost empty. This fixed the purify/valgrind error, but in exchange eliminated all security.
The original informtion can be found at
http://lists.debian.org/debian-security-announce/2008/msg00152.html
http://isc.sans.org/diary.html?storyid=4421
http://www.debian.org/security/2008/dsa-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
Combined these discuss not just the problem, but the solution.
Joe
.
- Follow-Ups:
- Re: My own e-mail encryption solution
- From: Mark Wooding
- Re: My own e-mail encryption solution
- References:
- My own e-mail encryption solution
- From: Anonymous
- Re: My own e-mail encryption solution
- From: Joseph Ashwood
- Re: My own e-mail encryption solution
- From: Boon
- My own e-mail encryption solution
- Prev by Date: Re: New computation method which could endanger used cryptosystems (?)
- Next by Date: Girard Perregaux Classic Elegance Watch, Best Wristwatch
- Previous by thread: Re: My own e-mail encryption solution
- Next by thread: Re: My own e-mail encryption solution
- Index(es):
Relevant Pages
|
