netscape's response

Bill Stewart stewarts at ix.netcom.com
Wed Sep 20 15:15:34 PDT 1995


On Sep 20, 12:29am, Christian Wettergren wrote:
>> Subject: Re: netscape's response
>> One wild idea that I just got was to have servers and clients exchange
>> random numbers (not seeds of course), in a kind of chaining way. Since
>> most viewers connect to a number of servers, and all servers are
>> connected to by many clients, they would mix "randomness sources" with
>> each other, making it impossible to observe the local environment
>> only. And the random values would of course be encrypted under the
>> session key, making it impossible to "watch the wire".

Be _very_ careful with this approach - it's the kind of thing that a
rogue server or client might abuse to find out randomness or other state
information about the clients or servers connecting to it.
At minimum, only give out some of your randomness, XORed with some
arbitrary value to scramble the range and then hashed before sending,
so that the recipient can't find out the values you're using.

One valuable technique is to continually accumulate any randomness available,
rather than just going for what's available right when you need it.
However, one source of right-when-you-need-it randomness to contribute
to session keys is hashing the plaintext, or at least the first chunk of it;
if you use this carefully (e.g. by throwing it in with the rest of your
hash input), it should provide input unavailable to the attacker.

Also, while network boards and sound cards can provide useful randomness,
you can't depend on their existence, at least in the PC world; most home users
probably connect over modems and don't have LANs.  So any software that
would like to use these needs to include methods of detecting their existence
before trying to get data from them.  (Suns obviously all have network
interfaces,
and Sparcstations have /dev/audio, but not all Unix boxes are similarly
equipped.)
#---
# Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---







More information about the cypherpunks-legacy mailing list