[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(Fwd) Netscape Commerce Server and Certificates



From www-security...

------- Forwarded Message Follows -------
Date:          Sat, 23 Sep 95 01:07:38
From:          <[email protected]>
Subject:       Netscape Commerce Server and Certificates
To:            "john hemming ceo marketnet"  <[email protected]>, [email protected]
Cc:            

The Commerce server is significantly less vulnerable because:

1. Key pairs are generated only once
2. Access to the actual server is limited for hackers to try to guess with
some accurace when the key pair was generated.
3. The time it takes to generate key pairs is about 5 seconds on a
reasonably powerful UNIX machine.  

4. Since the random number seed address space is 30 bits, even if one knew
approximately when the server key-pair was generated it only reduces this
dows to say 20 bits.  Therefore the operation can take anywhere from (2**20
to 2**30) * 5 seconds = 5 million to 5 billion seconds.

5 million seconds = 57.8 days
5 billion seconds = 158 years

5.  We plan to have the patch available by next week

6.  You are right about server owners having to get new certificates.
Netscape and VeriSign will offer new six month certificates to all current
certificate owners at no charge.

--Atri

At 09:58 PM 9/22/95 PDT, John Hemming CEO MarketNet wrote:
>>Netscape Commerce server certificates use RSA key pairs generated by the<BR>
>>user, i.e. with "Netscape's shoddy random number genrator" (sic). All the<BR>
>>server running in "secure" mode need new RSA keys and certificates as
noted<BR>
>>in the following excerpt from the official Netscape response. <BR>
><BR>
>>"In addition, the current version of the Netscape Commerce Server has a<BR>
>>similar vulnerability during it's initial key-pair generation. Therefore,
a<BR>
>>patch will be made available from Netscape and should be applied by
Commerce<BR>
>>Server customers to generate a new key pair and server certificate." <BR>
>If that is really what Netscape have issued then it needs correcting unless
>for some reason RSA's private key is stored in the Commerce Server.  I would
>presume that a certificate request would be needed instead.
>
>There is really quite a high noise to signal ratio in dealing with the
>non randomness of the unix Navigator (which is what I understand 
>the problem to be).
>
>
>
>
____________________________________
Atri Chatterjee
Server Marketing
Netscape Communications Corporation
(415) 528-2834 (ph)
(415) 528-4120 (fax)



Peter Trei
Senior Software Engineer
Purveyor Development Team                                
Process Software Corporation
http://www.process.com
[email protected]