In article <199509192304.QAA05546@infinity.c2.org>, sameer@c2.org (sameer) writes:
" With this knowledge, an experienced computer programmer could decrypt messages sent by Netscape Navigator to other computers in a few hours of computation time."
Excuse me? A few hours? Try 25 seconds??
DISCLAIMER: my comments below are my opinion, and not necessarily the position of Netscape. Yes, it was < 1 minute if you had captured the client-hello message, and had access to the machine that was running the Navigator, and it was a unix machine and it was not an SGI with a high-resolution timer. If the attacker does not have access to the machine to determine the pid and ppid, then the attack will take longer. If the Navigator is running on an SGI machine with a high resolution cycle counter then it is used as the first of the two 32bit seeds. If the Navigator is running on a Mac or PC, then the two seeds are the current time and the "tick count", which is milliseconds since starting windows for the PC version, and some time unit since booting on the Mac. I believe that it would take much longer than 1 minute to mount an attack against a mac, pc, or unix machine that the attacker was not logged on to. I don't know exactly how the few hour number was calculated, since it was done by marketing with input from someone else in the group. Another interesting data point is that the unix version, which was most vulnerable, accounts for less than 10% of our user base, according to the yahoo random link stats. Of course none of this reduces the magnitude of the screw up/bug/design flaw/whatever. I really can't say which of these it was since I wasn't around at the time that this code was being written. I must admit that the RNG seed code was not an area that I thought to examine when I took over our security library. This was a bad mistake on our part, and we are working hard to fix it. We have been trying to identify sources of random bits on PCs, Macs, and all of the many unix platforms we support. We are looking at stuff that is system dependent, user dependent, hardware dependent, random external sources such as the network and the user. If anyone has specific suggestions I would love to hear them so that we can do a better job.
"Netscape has also begun to engage an external group of world-class security experts who will review our solution to this problem before it is sent to customers."
A group which offered to review the first version, but Netscape refused.
Do you mean that cypherpunks offered to review the netscape code if only we made all the source available on the net? I think that it is unrealistic to expect us to release all of our source code to the net. We will be having at least some of our code reviewed by a wider audience, but I don't yet know which code, or how wide a review group. If anyone has specific suggestions for pieces of code that you would like to see widely reviewed (such as RNG and seed generation) let me know. I realize that some cypherpunks think that we should make all of our code publicly available. In an ideal world that would be great, but we live in a world with politicians, crooks, lawyers, stockholders, etc... Don't expect to see us posting our entire security library source code to cypherpunks.
From their release it looks like they aren't finding a better source of entropy, but just using *more* sources of entropy. Doesn't mean that the entropy is good.
I would love to hear your suggestions for good sources of entropy on any systems that our products run on.
A T-shirt to the first person to decompile the new Seed code and post the sources of "entropy" used.
Is this offer good for netscape employees? What if I post the code without having had to decompile it? :-) --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.