[919] in WWW Security List Archive
Re: Netscape's purported RNG
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Fri Sep 22 23:18:59 1995
From: smb@research.att.com
To: Rick Smith <smith@sctc.com>
cc: www-security@ns2.rutgers.edu
Date: Fri, 22 Sep 95 20:18:35 EDT
Errors-To: owner-www-security@ns2.rutgers.edu
zurko@osf.org (Mary Ellen Zurko) writes:
> The process problem instead seems
>to be, as pointed out in earlier mail, that they had no expertise in
>the issues of implementing cryptography, and didn't go out of house
>for help. For the fix, they're getting help from RSA.
The depressing thing is that poor RNG seeding is a published bug
that's been seen before in software that depended on randomness for
security. At least, a few cases seem to be somewhere in my cluttered
head tho' the details escape me at the moment. But for sure some early
experiments with IP spoofing was based on predictable RNGs used to
generate TCP sequence numbers. Didn't Morris, Sr, recently refer to
bad RNGs as a popular source of crypto vulnerability?
The TCP sequence number attack worked because there was no randomness
at all. But that's in accordance with the spec. It would have been
harder -- but by no means impossible or even improbable -- if the
counter had the resolution prescribed by the RFCs.
As I mentioned in an earlier note, Sun's fsirand program had a bug in
its seed calculation. Arguably, the architecture was wrong, but the
reality was far worse than that.
Morris and Thompson referred to similar problems in their 1979 paper on
password systems.
