Kerberos vulnerability
deadbeat
an5877 at anon.penet.fi
Wed Feb 21 00:42:51 PST 1996
-----BEGIN PGP SIGNED MESSAGE-----
A Kerberos V4 session key is chosen by calling random() repeatedly.
THe PRNG is seeded with srandom(time.tv_usec ^ time.tv_sec ^ p ^ n++),
where p is a static integer set to getpid() ^ gethostid() on the first
call and n is a static counter.
Is there any entropy here??? Most, if not all, Kerberos servers run one
time synchronization protocol or another, which reduces the entropy to a
few bits at most.
DEADBEAT <na5877 at anon.penet.fi>
-----BEGIN PGP SIGNATURE-----
Version: 2.4
iQBFAgUBMSnfhvFZTpBW/B35AQFNqgGApyXhHKIstdDvNaCuJY/fWfRZ16BvK60A
Qde5VxuTsFdZsm69rrTtGxpdyplBxso6
=jHUm
-----END PGP SIGNATURE-----
--****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION***
Your e-mail reply to this message WILL be *automatically* ANONYMIZED.
Please, report inappropriate use to abuse at anon.penet.fi
For information (incl. non-anon reply) write to help at anon.penet.fi
If you have any problems, address them to admin at anon.penet.fi
More information about the cypherpunks-legacy
mailing list