[926] in WWW Security List Archive
Randomness Problems
daemon@ATHENA.MIT.EDU (John Hemming CEO MarketNet)
Sat Sep 23 08:09:40 1995
From: "John Hemming CEO MarketNet" <JohnHemming@mkn.co.uk>
Date: Sat, 23 Sep 1995 09:55:32 AM PDT
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
It is interesting that there appear to be two problems which have
been identified in Netscape's implementation of SSL. I cannot be
particularly critical of one as I have made a similar error in the past.
(too rushed)
The first error is in the randomness of the generation of the SSL
master key. This is a 128 bit number that is generated in the
Navigator. The ability to work this out makes it possible to decrypt
any particular conversation between a Unix Navigator and the
server.
The second error is potentially more serious. This comes from the
generation of the server's keypair. Were the prime numbers to be
identified in that all traffic to and from that server can be decrypted
relatively easily. The key pair's product is normally a number between
512bits and 1024 bits. Netscape's own server uses 1016 bits.
Clearly the longer the key the longer it takes to establish the session
key (processing is roughly linked to the cube of the length of the key).
Therefore key length is relevant in issues of response times.
At the end of the day I do not feel that Netscape are due for all the
opprobrium that is currently being ladled onto them. The advantage
of security systems on the Internet is that there are hundreds if not
thousands of people trying to break them simply for the fun of it. This
is a far better testing system than could be devised by a bank even as
large as Citibank. A good testing system finds mistakes. The key issue
is, therefore, whether the organisation which has made the mistakes
a) Recognises and accepts the fact ... and
b) Fixes the problem
The only way you can guarantee not to make a mistake is not to do
anything.
Final testing of security systems off the Internet is generally left to
the Russian Mafia.
BTW if anyone wants to find out the length of keys being used for an
SSL conversation on a particular server they should take a copy
of workhorse from ftp://193.119.26.70/mktnet/pub/horse.zip
(Windoze only sorry). It reports the key lengths and the keys.
