Thursday, December 3, 2015

randup trickery

We at opmsg team take security very serious. Really.

So at times we end up digging in underlying libs which
we use, to understand entropy and key generation.
Since we take security so serious (really), we are very Nazi
about entropy. If we find anything that might be an issue
or could be an issue if used in certain environments,
we take all necessary actions to protect you.

So this time we inform you, our valued customer, that
usage of libressl in certain Linux environments could
be dangerous with regard to key generation. In nested
container environments (cloud!) the state of the PRNG
may be cloned and there is nothing you, our valued
customer, can do about it via the libcrypto API.
Thats why we, who take security very serious, informed
the libressl team and proposed a solution.

PoC and solution may be found here. Please note that
this is different from the CLONE_PID issue in past
which allowed for reuse of pids but is no longer possible
on recent Linux kernels.

Beside that, opmsg team acknowledges time and effort libressl
developers invest into the project and found libressl
code clean and mature. We continue supporting and recommend
use of libressl in opmsg.



1 comment:

Anonymous said...

Do you take security seriously?