Predictable random generator in Debian’s OpenSSL

On 13th may, Debian announced that Luciano Bello discovered a weakness in the random generator used for OpenSSL. A line of software was removed “for quality reasons”.

* Don’t add uninitialised data.
MD_Update(&m,buf,j); /* purify complains */

Checking tools such as Purify or Valgrind complained that variable buf was not initialized. Thus, it was decided to remove this line. Unfortunately, the random generator used two parameters as random seed: its process ID and this random buffer buf! The range of value of process ID is 32,768. In other words, without the contribution of buf, the seed of the random generator was too small. The random generator was predictable. The keys generated by DEBIAN OpenSSL are predictable, thus weak.

Of course, the mistake has immediately been corrected. The first weak version has been published in September 2006. All cryptographic keys generated by these versions of OpenSSL should be treated as compromised material. New keys should be generated with the latest version. Other distributions of OpenSSL are not concerned. Nevertheless, they may handle DEBIAN generated keys and thus be in danger when using these keys.


  • Quality checking tools are useful tools. Nevertheless, their results have to be used with judgment. This is specially tool in the field of security where sometimes it is mandatory to “violate” quality heuristics. A typical example is code obfuscation which objective is to artificially increase the complexity of software (whereas quality requests to reduce the complexity)
  • It took more than 18 months for somebody to detect the impact of this modification.
  • Being paranoid, I would say this delay is rather sufficient for a well organized attacker to maliciously had some reasonably smart trapdoor in an open source package and then exploit it against her target.
  • Open source allowed to detect this weakness :Happy: Open source allowed also to introduce this weakness :Sad: Nevertheless, I believe that the pros are higher. Probably there is a critical size of reviewers to reach for gaining some confidence.
  • Not everybody is able to write (and understand) security code.

Thanks to Gomor for the link.

Leave a Reply

Your email address will not be published. Required fields are marked *