netscape's response

Timothy C. May tcmay at got.net
Wed Sep 20 00:09:43 PDT 1995


At 5:53 AM 9/20/95, Jeff Weinstein wrote:

>  Of course none of this reduces the magnitude of the screw up/bug/design
>flaw/whatever.  I really can't say which of these it was since I wasn't
>around at the time that this code was being written.  I must admit that
>the RNG seed code was not an area that I thought to examine when I took
>over our security library.

In _retrospect_ (:-}), the approach taken by Goldberg and Wagner seems
pretty obvious. Where PGP, for example, asks the user to go through a
laborious process of "generating entropy" through ostensibly-random
keyboard button presses, Netscape does not do this. Nor does it, for
example, "listen" to a microphone input for some amount of time (to at
least make a plausible pretense of gathering entropy), nor does it measure
a Zener diode, or count clicks of a Geiger counter, or whatever.

The very speed of Netscape's PRNG process suggests the usual weakness in
PRNGs: simply not enough entropy. That is, a limited search space allows
the guessing of a seed or entry point in a deterministic process.


>  This was a bad mistake on our part, and we are working hard to fix it.
>We have been trying to identify sources of random bits on PCs, Macs, and
>all of the many unix platforms we support.  We are looking at stuff that
>is system dependent, user dependent, hardware dependent, random external
>sources such as the network and the user.  If anyone has specific
>suggestions I would love to hear them so that we can do a better job.

I think a reasonable way to generate several hundred seemingly random (or
at least highly unpredictable) bits is the "swirling the mouse" approach
mentioned by several people. All implementations of Netscape involve mice,
I assume, and this is a fairly fast way of generating hard-to-guess bits.
Colin Plumb has code to do this, as has been mentioned. (I'm not saying
that some number of "mouse swirlings" will generate some number of bits of
entropy...this depends on the platform, the granularity of mouse
measurements, etc. Better to take several times as many bits as needed and
distill them down, with MD5 or other hash functions....can't have too many
bits of entropy to start with!)

This could be done fairly quickly by Netscape, and doesn't assume the
platform has microphones to "measure background noise" or other exotic and
nonstandard inputs.

Years ago, I recall articles in sci.crypt about getting "pretty good random
numbers" from complicated measurements of disk accesses on a local machine,
ticks of the system clock, times between keyboard button presses, etc., all
mixed and convolved together. Not perfect, of course, but if enough bits
are started with (e.g, 2000) when "only" 126 or 512 or whatever are
ultimately used, this "mixing" can probably be pretty damned good. At
least, I doubt any t-shirts will be won.


>  Do you mean that cypherpunks offered to review the netscape code
>if only we made all the source available on the net?  I think that it
>is unrealistic to expect us to release all of our source code to the
>net.
>
>  We will be having at least some of our code reviewed by a
>wider audience, but I don't yet know which code, or how wide a review
>group.  If anyone has specific suggestions for pieces of code that
>you would like to see widely reviewed (such as RNG and seed generation)
>let me know.
>
>  I realize that some cypherpunks think that we should make all of
>our code publicly available.  In an ideal world that would be great,
>but we live in a world with politicians, crooks, lawyers, stockholders,
>etc...  Don't expect to see us posting our entire security
>library source code to cypherpunks.

I think a better approach is to modularize the functions, so that a "PRNG"
chunk could be shown without "damaging" Netscape's market situation. (I
doubt the crypto section is seen as Netscape's market edge, and use of
industry-verified crypto modules would be a net plus, anyway.)

In other words, keep secret (arguably) the things you don't want
competitors to have access to. But things like crypto modules are rarely
trade secrets--if only because the cores are so often licensed anyway--and
can be shown and vetted without affecting the rest of the product.

(I said "arguably" because many will argue for showing all of the source
code, anyway, as the almost-ultimate check on integrity and reliabilty. And
there may be subtle security flaws that hinge on the overall program, not
just specific parts.)


>  I would love to hear your suggestions for good sources of entropy
>on any systems that our products run on.

See above. This has been a recurring topic in sci.crypt and Cyherpunks---so
recurring, in fact, that several of us have expressed bemusement at seeing
"yet another "How do I generate entropy" argument."

I guess we all (save for Mssrs. Goldberg and Wagner) tacitly assumed that a
modern product claiming to have strong crypto would use commonly-accepted
techniques for generating enough entropy. (Commonly used in RSA's crypto
products, and in PGP.)

I suggest you take RSADSI up on their offer to advise you. (Or Cylink, as
the case may soon be.)

--Tim May

---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."








More information about the cypherpunks-legacy mailing list