[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape's random numbers
>Before we go to the news, perhaps we should demonstrate the exploitation of
>this hole. It would certainly make selling this story a whole lot easier.
In the first place it is a bit late for that. The problem is all over the net
already. Expect press coverage tommorow or Wednesday. Secondly I would prefer a
solution.
Random number generation and maintenance is a whole lot harder than RFC 1750
makes out. Although that RFC has some usefull ideas it does not provide a
blueprint fora secure ergodicity management facility.
When I wrote code for Shen I was very carefull in the use I made of the output
of the ergodicity manager. In particular correlation is a major concern. If a
pseudo random output is exposed it must not predjudice other random values.
Consider the class of attacks where Mallet receives a message from Alice and
uses the knowledge of his random number to discover the random number used in
Alice's later message to Bob.
I always use hash functions as a "one way trap" to ensure that values cannot be
reverse engineered to discover the internal state of the random number
generator. I am also careful to erase all internal state before exiting the
program.
Phill Hallam-Baker