[938] in WWW Security List Archive
Random seed -Reply
daemon@ATHENA.MIT.EDU (Martin Taylor)
Tue Sep 26 12:37:50 1995
Date: Tue, 26 Sep 1995 14:39:37 +0100
From: Martin Taylor <m.taylor@ELSEVIER.CO.UK>
To: elgamal@netscape.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Taher ElGamal <elgamal@netscape.com> wrote:
<.........>
>Enclosed is our proposal for addressing the need of finding more
>sources of random information in your system's environment.
<.........>
Just my twopence worth: have you examined the validity of these
sources in the light of the functionality provided by the Java language in
Netscape 2.0? I imagine that a number of the sources are readable by a
Java applet - you will be better able than I, I think, to gauge how this may
compromise them as "unknowns". The sort of attack I envisage would
involve a rogue applet mailing back the state of these items to a third
party. Is this possible in principle?
Re your query on PGP: the seed file is RANDSEED.BIN. Incidentally, I'm
sure you're aware that PGP relies mostly on key depressions for its
random input. I appreciate it would be difficult to do this to the same
degree in Netscape, but there might perhaps be scope for some analysis
of keyboard/mouse event timing at the start of a Netscape run.
Martin Taylor
