1995-09-20 - Re: netscape’s response

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: 6c24c866e18826ef15b60837aab61b3fa4a24f0da0c8c1268f71a8d51b155890
Message ID: <199509202215.PAA14101@ix.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-20 22:15:34 UTC
Raw Date: Wed, 20 Sep 95 15:15:34 PDT

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 20 Sep 95 15:15:34 PDT
To: cypherpunks@toad.com
Subject: Re: netscape's response
Message-ID: <199509202215.PAA14101@ix.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


On Sep 20, 12:29am, Christian Wettergren wrote:
>> Subject: Re: netscape's response
>> One wild idea that I just got was to have servers and clients exchange
>> random numbers (not seeds of course), in a kind of chaining way. Since
>> most viewers connect to a number of servers, and all servers are
>> connected to by many clients, they would mix "randomness sources" with
>> each other, making it impossible to observe the local environment
>> only. And the random values would of course be encrypted under the
>> session key, making it impossible to "watch the wire".

Be _very_ careful with this approach - it's the kind of thing that a
rogue server or client might abuse to find out randomness or other state
information about the clients or servers connecting to it.
At minimum, only give out some of your randomness, XORed with some
arbitrary value to scramble the range and then hashed before sending,
so that the recipient can't find out the values you're using.

One valuable technique is to continually accumulate any randomness available,
rather than just going for what's available right when you need it.
However, one source of right-when-you-need-it randomness to contribute
to session keys is hashing the plaintext, or at least the first chunk of it;
if you use this carefully (e.g. by throwing it in with the rest of your
hash input), it should provide input unavailable to the attacker.

Also, while network boards and sound cards can provide useful randomness,
you can't depend on their existence, at least in the PC world; most home users
probably connect over modems and don't have LANs.  So any software that
would like to use these needs to include methods of detecting their existence
before trying to get data from them.  (Suns obviously all have network
interfaces,
and Sparcstations have /dev/audio, but not all Unix boxes are similarly
equipped.)
#---
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---






Thread