From: karlton@neon.netscape.com (Phil Karlton)
To: cypherpunks@toad.com
Message Hash: 13a211a7ba8d6bc627b9155a59fa74a65879fec40f5a49936fc2007b10b7a143
Message ID: <4454nu$da8@tera.mcom.com>
Reply To: N/A
UTC Datetime: 1995-09-25 02:39:47 UTC
Raw Date: Sun, 24 Sep 95 19:39:47 PDT
From: karlton@neon.netscape.com (Phil Karlton)
Date: Sun, 24 Sep 95 19:39:47 PDT
To: cypherpunks@toad.com
Subject: Netscape "random" number seed generator code available
Message-ID: <4454nu$da8@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain
Once again I speak for myself and not Netscape.
The random number seed generation code is now available for review:
ftp://ftp1.netscape.com/pub/review/RNGsrc.tar.Z
The README from that file is appended below.
Netscape has fixed other less glaring but potentially interesting
problems and those fixes will be included with the patch that goes out
in the near future.
As is mentioned in the README, more will need to be done to find more
bits of entropy. (Too much of a good thing is still not enough.)
However the security team believes that the RNG seed is no longer the
weak link and candidate for attack. So I am personally volunteering
to have my had shaved if a discovered deficiency in this code results
in an easily attacked generated seed. [You will be expected to show
your work. :-)]
============================== README ===========================
This code represents the heart of Netscape's random number seed
generator. The initialization routines are called by the various
client front ends and servers and other Netscape software.
Furthermore, the server will be putting seed information into the
environment of each of the CGI invocations.
Here's some things a client does:
* Application specific files are passed to SEC_FileForRNG(). For the
client this includes the global history file.
* The clients then read a portion of the screen depending upon the
current state of the hash.
* The Update functions feed into an MD5 hash. The MD5 code isn't ours
to publish.
* User input is used for server side key generation and in client
front ends for increasing RNG state entropy over time.
This code needs to be portable. We can't access device specific
registers that are not guaranteed to be on all relevant platforms.
Recommendations to users of Netscape who rely on the security of
their transactions:
If the attacker has physical access to your machine, security
cannot be assured.
Netscape continues to point out that if unwanted agents can log
into your machine, little can be secure. For secure servers, any
insecure connection mechanism could be suspect. Multi-user UNIX
platforms will not be as secure as single-user machines.
Details: Some of the system specific information that is used
in the seed generation is available to any user on that
system.
To help mitigate this, the entire user environment is passed
into the seed generation algorithm. A wary user can alter his
user environment before running Netscape software.
If someone can get root (superuser) access to your machine,
they can pretty much do anything.
Netscape security could be weak if run on a platform emulator.
Use a version native to the platform on which you are running.
Details: Some of the usefulness of the seed generation depends
upon the unpredictability of the low order bits of various
clocks and timers. The clocks of many emulators may have
much less entropy than the actual builtin clocks.
If you are running on a UNIX platform, make sure of the security
of your X server. This is also true if the X connection is not to
a local machine as all of the events and the data from the screen
read may be captured from the ethernet.
Details: If the attacker is monitoring your user input then
its randomness is not useful.
It is better to perform some user action before connecting to a
secure site. This means you should not set your home page to a
secure site or launch your client from a command line to a secure site.
Details: While navigating through menus or typing into various form
fields, the Navigator uses the unpredictability of details of the
user actions to increase the entropy of the RNG state.
For this patch, proposed changes had to fit into the existing
code and UI structure. We will rely on the user interactions leading
to the initial secure page.
In future versions, the Navigator will force the user to explicitly
use the keyboard or mouse to help generate the initial seed before
doing any secure transactions. That seed will be maintained across
invocations of the Navigator.
The files are not compilable as is. They have been extracted from the
Netscape's cross platform build environment, and all of the headers
needed to compile them are not included. They should be compilable
with some simple edits on their platforms (MFC on Windows, CodeWarrior
on Mac).
=================================================================
PK
--
--
Philip L. Karlton karlton@netscape.com
Principal Curmudgeon http://www.netscape.com/people/karlton
Netscape Communications Corporation
Return to September 1995
Return to “Phil Karlton <karlton@netscape.com>”