[22272] in bugtraq
Re: qmail starttls patch does not seed the random number generator
daemon@ATHENA.MIT.EDU (Scott Renfro)
Thu Aug 16 13:35:44 2001
Date: Thu, 16 Aug 2001 10:22:10 -0700
From: Scott Renfro <scott@renfro.org>
To: Jack Lloyd <lloyd@acm.jhu.edu>
Cc: Wojciech Purczynski <wp@supermedia.pl>,
Felix von Leitner <felix-qmail@fefe.de>, qmail@list.cr.yp.to,
jos-tls@kotnet.org, bugtraq@securityfocus.com
Message-ID: <20010816102209.I60185@bonsai.home.renfro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.30.0108151324460.7141-100000@sol.galaxy.acm.jhu.edu>; from lloyd@acm.jhu.edu on Wed, Aug 15, 2001 at 01:42:05PM -0400
On Wed, Aug 15, 2001 at 01:42:05PM -0400, Jack Lloyd wrote:
>
> 2) IIRC, OpenSSL adds a few "random" things like pid, uid, time, etc
> in the creation of the key
On ''Unix'' platforms, it adds getpid(), getuid(), and time(NULL).
Wagner and Goldberg demonstrated how very predictable these values were
years ago with the Netscape browser.
> 3) Oh, one more thing. An SSL/TLS key is negotiated between the
> client and server, and derived from random values sent by each of
> them.
But the client-random and server-random values are public. The only
secret input to the master secret is the pre-master secret which is
entirely supplied by the client. If the PRNG used by the client to
generate the pre-master secret is weak, an attacker that can sniff the
packets can decrypt them with relatively little effort.
In this case, you have to have a working and recognized-by-OpenSSL
/dev/urandom or an alternate source of good entropy.
--Scott
--
Scott Renfro <scott@renfro.org>
