[einaros]

No, the primes (and thus key) can be retrieved at any time, but it may be more frequently found right after reboot.

I would recommend you to gather at least a gigabyte before digging for the key - preferably more. I dumped 43 GB from CloudFlare on Sunday, and found the prime 194 times in that dump. It can be found in much less time, however. Here's a test I just did against the CloudFlare server, resulting in the full prime 34 times in 60 seconds: https://twitter.com/einaros/status/456136820913238016

The code from the second posted you noted (https://news.ycombinator.com/item?id=7577659) isn't mine. That one builds off of the original Python PoC, which fails for a lot of configurations.

The Github code is the first publication I've done. Let me know if you see a server that's vulnerable, that the Github code fails to detect.

[quasque]

Was the other prime present in your 43 GB dump or just the one starting with 0xc4ea13ad? Or any other components of the private key?

My own program only saved the snippets of memory in which a little-endian prime was detected - I didn't keep the rest of the data.

[einaros]

Doing realtime prime detection is trivial in mine as well. Either pipe the outfile or add to the lib. I didn't write the dump tool with keys as primary target; they just happened to be there.

[quasque]

Sorry, my comment may have come across as an unnecessary criticism of your technique rather than how I intended it - as mentioning a shortcoming of my program in not saving all data received, and that you may be able to get some interesting results from your dump by searching for other key data and in different formats.

[einaros]

Ah. Well if you want to dig, I've still got the 43 GB from CloudFlare!

[indutny]

On other hand - you could try using my tool, and keep it running up until it'll find the key. It doesn't collect any dumps and does all processing in a real time.

[einaros]

I didn't actually write mine to collect primes :) I'm working with data dumped from other network devices, and for the most running various Yara rules during and after collection.