[96] in 6.033 discussion
Re: CompuServe missed an 033 lecture :-)
Saltzer@ATHENA.MIT.EDU (Saltzer@ATHENA.MIT.EDU)
Fri Apr 12 04:06:45 1996
> 1) The client (WinCIM) generates a pseudorandom string of bits,
> its "nonce" (RB)
In addition to the two weaknesses addressed in Eggenstein's note (both of
which appear to be easy to fix), the step described above may be the source
of another weakness. The protocol depends on unpredictability of the
nonce, and it is very difficult to generate unpredictable nonces in a user
workstation--there is no dependable source of randomness.
The one saving grace here is that the protocol seems to require that an
intruder predict the nonce exactly, because a wrong nonce will be noticed
either by the client or the compuserve host. So an attack involving
predicting the general region in which the nonce lies, followed by a series
of tests of nonces from that region, will probably not succeed.
Jerry S.