pgut001@cs.auckland.ac.nz wrote:
The Netscape server key format is very susceptible to both a dictionary attack and to keystream recovery. It uses the PKCS #8 format for private keys, which provides a large amount of known plaintext at the start of the data, in combination with RC4 without any form of IV or other preprocessing (even though PKCS #8 recommends that PKCS #5 password-based encryption be used), which means you can recover the first 100-odd bytes of key stream with a simple XOR (the same stupid mistake Microsoft made with their .PWL files). This means two things:
1. It's very simple to write a program to perform a dictionary attack on the server key (it took me about half an hour using cryptlib, and another half hour to rip the appropriate code out of cryptlib to create a standalone program).
2. The recovered key stream from the encrypted server key can be used to decrypt any other resource encrypted with the server password, *without knowing the password*. This is because there's enough known plaintext (ASN.1 objects, object identifiers, and public key components) at the start of the encrypted data to recover large quantities of key stream.
Peter, The attack you describe is indeed possible with the Netscape Commerce Server 1.x. However current Netscape products, such as Navigator, Enterprise Server, and FastTrack Server, have improved private key encryption that prevents these types of attacks. Note that the old key handling code is of the same vintage as the random number seed code that was shown to be weak last year (from before I got here). I recognized this particular problem quite some time ago, and fixed all of the products that were then in development. If someone is running the old Commerce Server, and is not confident that the file system of their server machine can not be accessed by attackers, I would recommend that they upgrade to the FastTrack or Enterprise servers. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.