Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise

Abstract

A patch to the OpenSSL package maintained by Debian GNU/Linux (an operating system composed of free and open source software that can be used as a desktop or server OS) submitted in 2006 weakened its pseudo-random number generator (PRNG), a critical component for secure key generation. Putting both servers and users at risk, this vulnerability affected OpenSSH, Apache (mod_ssl), the onion router (TOR), OpenVPN, and other applications. In this article, the author examines these issue and its consequences. OpenSSL is an open source library implementing the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols. Several widely deployed applications on many OSs rely on it for secure communications, particularly Linux and BSD-based systems. Where in use, it's a critical part of the OS's security subsystem.