Re: netscape's response

[iagoldbe@csclub.uwaterloo.ca (Ian Goldberg)]

In article <9509200248.ZM206@tofuhut>, Jeff Weinstein <jsw@netscape.com> wrote:
>On Sep 20,  1:12am, sameer wrote:
>> 	Is UNIX really the most vulnerable? How many bits did the
>> tickcount account for? Seems to me that guessing just time & tick
>> would be easier than guessing time, pid and ppid if you are not logged
>> into the machine in question. . .
>
>  This is really dependent on how long window has been running.  If you
>boot windows and immediately start an ssl connection, then the number
>will be pretty low, but if you don't make the first SSL connection until
>later, it should get better.  I think an hour would get you around 16-bits,
>but this is just a guestimate on my part.  If you leave your machine
>running windows for days you will get close to 32bits.
>
But you don't have the usec at all, if I read your post correctly.

Windoze uses the time in seconds (essentially 0 bits of randomness,
maybe a couple, since Windoze machines don't set their clocks very well),
and the tick count.

In one hour, the tick counts counts to 3600*1000, or about 22 bits.
Many hours given another bit or two.

Thus, in total, given *no* information except the assumption that the
clock is reasonably accurate, you get at *most* 25 bits.

Since our code can do 21 bits in 1 minute, we'll need 16 minutes.

   - Ian