[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape SSL implementation cracked!
A little birdie told me that Ian Goldberg said:
>
> As some of you may recall, a few weeks ago I posted a
> reverse-compilation of the random number generation routine used by
> netscape to choose challenge data and encryption keys.
>
> Recently, one of my officemates (David Wagner <[email protected]>)
> and I (Ian Goldberg <[email protected]>) finished the job
> of seeing exactly how the encryption keys are picked.
>
> What we discovered is that, at least on the systems we checked (Solaris
> and HP-UX), the seed value for the RNG was fairly trivial to guess by
> someone with an account on the machine running netscape (so much so
> that in this situation, it usually takes less than 1 minute to find
> the key), and not too hard for people without accounts, either.
Makes one wonder what the seed is on a Windows implementation...
If it's only the time, you can probably approximate what the
clock is set to within a couple of minutes (if the timezone of the
client is known).
--
Kevin Prigge | Holes in whats left of my reason,
CIS Consultant | holes in the knees of my blues,
Computer & Information Services | odds against me been increasin'
email: [email protected] | but I'll pull through...