[916] in WWW Security List Archive
Re: Netscape's purported RNG
daemon@ATHENA.MIT.EDU (Rick Smith)
Fri Sep 22 22:13:22 1995
Date: Fri, 22 Sep 1995 18:08:09 -0500
From: Rick Smith <smith@sctc.com>
To: www-security@ns2.rutgers.edu
Cc: smith@sctc.com
Errors-To: owner-www-security@ns2.rutgers.edu
zurko@osf.org (Mary Ellen Zurko) writes:
> The process problem instead seems
>to be, as pointed out in earlier mail, that they had no expertise in
>the issues of implementing cryptography, and didn't go out of house
>for help. For the fix, they're getting help from RSA.
The depressing thing is that poor RNG seeding is a published bug
that's been seen before in software that depended on randomness for
security. At least, a few cases seem to be somewhere in my cluttered
head tho' the details escape me at the moment. But for sure some early
experiments with IP spoofing was based on predictable RNGs used to
generate TCP sequence numbers. Didn't Morris, Sr, recently refer to
bad RNGs as a popular source of crypto vulnerability?
I'd argue that this is a software design flaw, not a protocol flaw nor
an implementation flaw. The software correctly sampled some nonrandom,
predictable sources to seed the random number generator. So it would
have been hard/impossible to find through design testing. Penetration
testing would have found it only if the testers knew enough. If they
did, they should have pointed it out at design time.
Rick.
smith@sctc.com secure computing corporation
