1995-09-21 - Re: netscape’s response
Header Data
From: Frank A Stevenson <frank@funcom.no>
To: cypherpunks@toad.com
Message Hash: 0c92b6df3eca2f47339745f77121d44bf701fb7a4743035606307cf85ef96622
Message ID: <Pine.SGI.3.91.950921112257.28289C@odin>
Reply To: <9509201835.ZM154@tofuhut>
UTC Datetime: 1995-09-21 09:34:47 UTC
Raw Date: Thu, 21 Sep 95 02:34:47 PDT
Raw message
From: Frank A Stevenson <frank@funcom.no>
Date: Thu, 21 Sep 95 02:34:47 PDT
To: cypherpunks@toad.com
Subject: Re: netscape's response
In-Reply-To: <9509201835.ZM154@tofuhut>
Message-ID: <Pine.SGI.3.91.950921112257.28289C@odin>
MIME-Version: 1.0
Content-Type: text/plain
On Wed, 20 Sep 1995, Jeff Weinstein wrote:
> NOTE: my first attempt to send this bounced at toad.com
>
> On Sep 20, 5:16pm, David_A Wagner wrote:
> > Subject: Re: netscape's response
> > In article <9509200139.ZM206@tofuhut> you write:
> > > On Sep 20, 12:29am, Christian Wettergren wrote:
> > > > One wild idea that I just got was to have servers and clients exchange
> > > > random numbers (not seeds of course), in a kind of chaining way. Since
> > > > most viewers connect to a number of servers, and all servers are
> > > > connected to by many clients, they would mix "randomness sources" with
> > > > each other, making it impossible to observe the local environment
> > > > only. And the random values would of course be encrypted under the
> > > > session key, making it impossible to "watch the wire".
> > >
> > > Wow, this is a great idea!!
> >
> > Are you quite sure this is a good idea?
> >
> > I'd be very scared of it. In particular, it opens up the chance for
> > adversaries to feed you specially chosen numbers to pollute your seeds.
Suppose you divide your random material into several parts:
A: Userinput (updated from Keystroke timing etc.)
B: 'Random' numbers from remote server
C: Time, pid, ppid, etc..
D: other...
Whenever you want to incorporate new data into B you could do something like:
B = B xor Hash (A,B,C,D, fresh 'random')
This would be very hard to pollute with well chosen input.
>
> What I should have said is that its a very interesting idea. Given
> current perceptions of netscape, I should have made clear that I
> wouldn't do something like this without getting a lot more discussion
> and review of possible dangers and how to avoid them. I certainly
> can't fault anyone for wondering if we would just implement this
> without thinking it through, given recent events.
>
Frank
Thread
Return to September 1995
- Return to “Frank A Stevenson <frank@funcom.no>”
Return to ““Jeff Weinstein” <jsw@netscape.com>”
- 1995-09-21 (Wed, 20 Sep 95 20:46:40 PDT) - Re: netscape’s response - “Jeff Weinstein” <jsw@netscape.com>
- 1995-09-21 (Thu, 21 Sep 95 02:34:47 PDT) - Re: netscape’s response - Frank A Stevenson <frank@funcom.no>