(Fwd) Netscape Commerce Server and Certificates
From www-security...
------- Forwarded Message Follows ------- Date: Sat, 23 Sep 95 01:07:38 From: <atri@netscape.com> Subject: Netscape Commerce Server and Certificates To: "john hemming ceo marketnet" <johnhemming@mkn.co.uk>, www-security@ns2.rutgers.edu Cc: The Commerce server is significantly less vulnerable because: 1. Key pairs are generated only once 2. Access to the actual server is limited for hackers to try to guess with some accurace when the key pair was generated. 3. The time it takes to generate key pairs is about 5 seconds on a reasonably powerful UNIX machine. 4. Since the random number seed address space is 30 bits, even if one knew approximately when the server key-pair was generated it only reduces this dows to say 20 bits. Therefore the operation can take anywhere from (2**20 to 2**30) * 5 seconds = 5 million to 5 billion seconds. 5 million seconds = 57.8 days 5 billion seconds = 158 years 5. We plan to have the patch available by next week 6. You are right about server owners having to get new certificates. Netscape and VeriSign will offer new six month certificates to all current certificate owners at no charge. --Atri At 09:58 PM 9/22/95 PDT, John Hemming CEO MarketNet wrote:
Netscape Commerce server certificates use RSA key pairs generated by the<BR> user, i.e. with "Netscape's shoddy random number genrator" (sic). All the<BR> server running in "secure" mode need new RSA keys and certificates as noted<BR> in the following excerpt from the official Netscape response. <BR> <BR> "In addition, the current version of the Netscape Commerce Server has a<BR> similar vulnerability during it's initial key-pair generation. Therefore, a<BR> patch will be made available from Netscape and should be applied by Commerce<BR> Server customers to generate a new key pair and server certificate." <BR> If that is really what Netscape have issued then it needs correcting unless for some reason RSA's private key is stored in the Commerce Server. I would presume that a certificate request would be needed instead.
There is really quite a high noise to signal ratio in dealing with the non randomness of the unix Navigator (which is what I understand the problem to be).
____________________________________ Atri Chatterjee Server Marketing Netscape Communications Corporation (415) 528-2834 (ph) (415) 528-4120 (fax) Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei@process.com
participants (1)
-
Peter Trei