Once again I speak for myself and not Netscape. The random number seed generation code is now available for review: ftp://ftp1.netscape.com/pub/review/RNGsrc.tar.Z The README from that file is appended below. Netscape has fixed other less glaring but potentially interesting problems and those fixes will be included with the patch that goes out in the near future. As is mentioned in the README, more will need to be done to find more bits of entropy. (Too much of a good thing is still not enough.) However the security team believes that the RNG seed is no longer the weak link and candidate for attack. So I am personally volunteering to have my had shaved if a discovered deficiency in this code results in an easily attacked generated seed. [You will be expected to show your work. :-)] ============================== README =========================== This code represents the heart of Netscape's random number seed generator. The initialization routines are called by the various client front ends and servers and other Netscape software. Furthermore, the server will be putting seed information into the environment of each of the CGI invocations. Here's some things a client does: * Application specific files are passed to SEC_FileForRNG(). For the client this includes the global history file. * The clients then read a portion of the screen depending upon the current state of the hash. * The Update functions feed into an MD5 hash. The MD5 code isn't ours to publish. * User input is used for server side key generation and in client front ends for increasing RNG state entropy over time. This code needs to be portable. We can't access device specific registers that are not guaranteed to be on all relevant platforms. Recommendations to users of Netscape who rely on the security of their transactions: If the attacker has physical access to your machine, security cannot be assured. Netscape continues to point out that if unwanted agents can log into your machine, little can be secure. For secure servers, any insecure connection mechanism could be suspect. Multi-user UNIX platforms will not be as secure as single-user machines. Details: Some of the system specific information that is used in the seed generation is available to any user on that system. To help mitigate this, the entire user environment is passed into the seed generation algorithm. A wary user can alter his user environment before running Netscape software. If someone can get root (superuser) access to your machine, they can pretty much do anything. Netscape security could be weak if run on a platform emulator. Use a version native to the platform on which you are running. Details: Some of the usefulness of the seed generation depends upon the unpredictability of the low order bits of various clocks and timers. The clocks of many emulators may have much less entropy than the actual builtin clocks. If you are running on a UNIX platform, make sure of the security of your X server. This is also true if the X connection is not to a local machine as all of the events and the data from the screen read may be captured from the ethernet. Details: If the attacker is monitoring your user input then its randomness is not useful. It is better to perform some user action before connecting to a secure site. This means you should not set your home page to a secure site or launch your client from a command line to a secure site. Details: While navigating through menus or typing into various form fields, the Navigator uses the unpredictability of details of the user actions to increase the entropy of the RNG state. For this patch, proposed changes had to fit into the existing code and UI structure. We will rely on the user interactions leading to the initial secure page. In future versions, the Navigator will force the user to explicitly use the keyboard or mouse to help generate the initial seed before doing any secure transactions. That seed will be maintained across invocations of the Navigator. The files are not compilable as is. They have been extracted from the Netscape's cross platform build environment, and all of the headers needed to compile them are not included. They should be compilable with some simple edits on their platforms (MFC on Windows, CodeWarrior on Mac). ================================================================= PK -- -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation