From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Fri, 22 Sep 95 23:01:03 PDT
To: cypherpunks@toad.com
Subject: Re: The Next Hack
In-Reply-To: <199509211832.LAA24086@infinity.c2.org>
Message-ID: <4407p5$on4@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <199509211832.LAA24086@infinity.c2.org>, sameer@c2.org (sameer) writes:
> 	Now that we've seen that Netscape is doing a good job towards
> trying to fix the hole that Ian and David have uncovered, it's time to
> start looking at new things.
> 
> 	Given the recent post to the www-security list that was
> forwarded here, it seems like just replacing the server may not work
> for all the secure servers out there-- keys may have to be replaced as
> well. Let's find out.
> 
> Proposal for action:
> 
> 1) Reverse-engineer a server to see if the keygen phase uses
> a weak RNG seed. -- if so, determine the exact algorithim.
> 
> 2) Organize a net-wide search over the space of the RNG seed to 
> crack the private key of some well known secure server.
> 
> 3) Release the private key to the net.

  What exactly is the point of this?  We have:

	1) acknowledged that the RNG used in the server private-key
		generation has the same problem

	2) said that we will provide a patch early next week

	3) said that we will provide new certificates for all customers

	4) promised to make source code for our new seed generation code
		publicly available

  What else do you hope to gain by breaking a server key?  I think
the point has been made.  Is there anything else that you would
reasonably expect that we would do in response to a server key
being broken that we have not already done?

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.