[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape's random numbers




>Before we go to the news, perhaps we should demonstrate the exploitation of
>this hole. It would certainly make selling this story a whole lot easier.

In the first place it is a bit late for that. The problem is all over the net 
already. Expect press coverage tommorow or Wednesday. Secondly I would prefer a 
solution.


Random number generation and maintenance is a whole lot harder than RFC 1750 
makes out. Although that RFC has some usefull ideas it does not provide a 
blueprint fora secure ergodicity management facility.

When I wrote code for Shen I was very carefull in the use I made of the output 
of the ergodicity manager. In particular correlation is a major concern. If a 
pseudo random output is exposed it must not predjudice other random values.

Consider the class of attacks where Mallet receives a message from Alice and 
uses the knowledge of his random number to discover the random number used in 
Alice's later message to Bob.

I always use hash functions as a "one way trap" to ensure that values cannot be 
reverse engineered to discover the internal state of the random number 
generator. I am also careful to erase all internal state before exiting the 
program. 


	Phill Hallam-Baker