[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape "random" number seed generator code available
On Mon, 25 Sep 1995, Jim Gillogly wrote:
> > [email protected] (Jeff Weinstein) writes:
> > More on the RNG stuff. On Unix systems we look for ~/.pgp/randseed.bin,
> > and feed it through the RNG hash.
>
> Interesting idea, but I have a (perhaps irrational) dislike for this idea.
> If Netscape wants to have its own netsceed.bin file to muck around with on
> my system, I'll authorize it to be set up, but I by god don't want it
> mucking around with my PGP setup. ...
I thought about this a bit, but I don't think that reading randseed.bin
counts as "mucking around with" the "PGP setup."
PGP launders randseed.bin before saving it for just this reason, so that
reading it won't reveal information on the user's session keys.
And the Netscape folks have published the source code which shows that
they only read the file and hash it with MD5. That the contents of
randseed.bin have been mixed into an MD5 hash with a bunch of other
things can hardly be called a security hole, in my estimation.
David R. Conrad, [email protected], http://www.grfn.org/~conrad
Hardware & Software Committee -- Finger [email protected] for public key
Key fingerprint = 33 12 BC 77 48 81 99 A5 D8 9C 43 16 3C 37 0B 50
No, his mind is not for rent to any god or government.