Monday, January 21, 2013

Free RSA Private Key Giveaway...by Lancom

UPDATE: I've heard back from LANCOM and they suggest, as did the person commenting below, that the problem lies with administrators selecting the wrong "slot" when uploading the key.


--------------------
There is no security problem when using the certificate-based VPN
connection.
When uploading the certificate you have used the wrong certificate type.

You can undo this by creating a text file in which only one blank character
is available.
When you upload the file, please use the certificate type "Message Before
Login (plain text)".
---------------------

While this would seem to be a true statement, it seems a like a particularly bad design choice if, while configuring the device, uploading a private key or a login banner are only a single click away from each other and could so easily result in the publication of the data. At least the Shodan database shows very few devices configured this way (currently 9) so it's hardly a wide-spread problem.

Original Post:


There's always a sense of excitement when I see that magic text "-----BEGIN RSA PRIVATE KEY----- ", and it's not  coming from a file on my computer. Anyone who even slightly understands public key cryptography knows that the key with the word "PRIVATE" doesn't get shared. Apparently, some Lancom router, VPN, and VoIP devices are having a hard time figuring out the difference between public and private keys.