How I tripped over the Debian weak keys vulnerability
Crypto wallets, RNG bugs, and fallout
- Several comments compare the Debian weak-key issue to potential RNG failures in Bitcoin or hardware wallets.
- Past crypto incidents (Android wallets, vanity address tools, Wintermute hack, BitcoinJS “randstorm”) are cited as evidence that bad randomness in key generation is a real and recurring problem.
- Concern is raised about large custodians and ETFs (e.g., relying on a single custodian rather than multi‑sig across entities) and what would happen if their cold-storage keys were weak or guessable.
Brute forcing keys and “indexing the keyspace”
- One thread models the brute-force cost of 256‑bit ECDSA, even with extreme assumptions (world GDP, massive FPGA fleets, huge algorithmic speedups), concluding it remains infeasible within human timescales.
- Another commenter suggests deterministically enumerating all seed values and building an index of all keys; others respond that:
- This is computationally equivalent to brute forcing.
- Storing such an index is physically impossible (more entries than atoms on Earth).
- “Generate a few keys and hope to stumble on a used one” sites exist, but are likened to Library of Babel thought experiments, not realistic threats.
- Quantum or “new physics” breakthroughs are acknowledged as the only plausible way to change this, but remain speculative.
Debian OpenSSL RNG bug mechanics
- Clarification that OpenSSL did use
/dev/urandom; the Debian patch accidentally removed the code path that mixed real entropy, leaving a low-entropy seed (PID-based). - Descriptions differ slightly: some say two copy sites existed and Debian removed both; another recounts multiple places where partially uninitialized buffers were mixed into the pool.
- There is agreement that:
- The original OpenSSL code invoked undefined behavior by reading uninitialized memory.
- Debian’s patch was “lawful” from a UB standpoint but catastrophic in effect.
- The bug was discussed on OpenSSL mailing lists before landing; it wasn’t a one-off reckless change.
GitHub’s SSH infrastructure
- Discussion about how GitHub avoided weak Debian keys and managed huge numbers of user keys:
- Historical use of custom key lookup (e.g., database-backed, libssh, “babeld” on port 22) instead of basic
authorized_keysfiles. - Mention that modern OpenSSH has
AuthorizedKeysCommand, but GitHub’s constant “git” SSH username and scale complicate naive approaches.
- Historical use of custom key lookup (e.g., database-backed, libssh, “babeld” on port 22) instead of basic
Testing, detection, and “many eyes”
- Some argue better test coverage (e.g., checking for low-entropy seeds) could have caught the Debian issue; others note randomness can’t be fully validated this way.
- An IRC snippet suggests the weakness was first noticed via unexpectedly frequent key collisions when generating many primes.
- The thread reflects on how often serious bugs (like this, Heartbleed, xz backdoor) may exist unnoticed, and how open-source visibility helped detect and coordinate responses in those cases.
Open vs closed source security
- One side claims open source increases the chance that odd behavior leads to code inspection and bug discovery; with closed source, that probability drops significantly.
- Others counter that bugs and even exploitable vulns are routinely found in proprietary software (by customers, security teams, and attackers), but:
- Reporting channels are weaker.
- Vendors may ignore or downplay issues.
- Legal threats can discourage disclosure.
- Several comments propose a lifecycle: observe weird behavior → recognize it as dangerous → report/fix → propagate the remedy. Open source is seen as making steps 2–4 more likely to succeed.
Language, parsing, and side topics
- Some discuss an ambiguous sentence in the blog post as an example of prepositional-phrase attachment ambiguity.
- There’s a brief mention of UUID collision worries (usually unfounded in ideal conditions, but real when entropy sources are weak).
- Another side note references large-scale scans for RSA keys sharing factors via GCD as a separate “weak key” episode.