1995-09-20 - Re: netscape’s response

Header Data

From: jsw@neon.netscape.com (Jeff Weinstein)
To: cypherpunks@toad.com
Message Hash: 9c5373252aa0be86a1a3f667c091722dc7971335472290938ff2035c8d5e1c41
Message ID: <43oa83$nhm@tera.mcom.com>
Reply To: <199509192304.QAA05546@infinity.c2.org>
UTC Datetime: 1995-09-20 05:53:59 UTC
Raw Date: Tue, 19 Sep 95 22:53:59 PDT

Raw message

From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Tue, 19 Sep 95 22:53:59 PDT
To: cypherpunks@toad.com
Subject: Re: netscape's response
In-Reply-To: <199509192304.QAA05546@infinity.c2.org>
Message-ID: <43oa83$nhm@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <199509192304.QAA05546@infinity.c2.org>, sameer@c2.org (sameer) writes:
> " With this knowledge, an experienced computer programmer could
> decrypt messages sent by Netscape Navigator to other computers in a
> few hours of computation time."
> 
> 	Excuse me? A few hours? Try 25 seconds??

DISCLAIMER: my comments below are my opinion, and not necessarily the
position of Netscape.

  Yes, it was < 1 minute if you had captured the client-hello message,
and had access to the machine that was running the Navigator, and it
was a unix machine and it was not an SGI with a high-resolution timer.

  If the attacker does not have access to the machine to determine the
pid and ppid, then the attack will take longer.  If the Navigator
is running on an SGI machine with a high resolution cycle counter then
it is used as the first of the two 32bit seeds.

  If the Navigator is running on a Mac or PC, then the two seeds are
the current time and the "tick count", which is milliseconds since starting
windows for the PC version, and some time unit since booting on the Mac.

  I believe that it would take much longer than 1 minute to mount an
attack against a mac, pc, or unix machine that the attacker was not
logged on to.  I don't know exactly how the few hour number was
calculated, since it was done by marketing with input from someone else
in the group.  Another interesting data point is that the unix version,
which was most vulnerable, accounts for less than 10% of our user
base, according to the yahoo random link stats.

  Of course none of this reduces the magnitude of the screw up/bug/design
flaw/whatever.  I really can't say which of these it was since I wasn't
around at the time that this code was being written.  I must admit that
the RNG seed code was not an area that I thought to examine when I took
over our security library.

  This was a bad mistake on our part, and we are working hard to fix it.
We have been trying to identify sources of random bits on PCs, Macs, and
all of the many unix platforms we support.  We are looking at stuff that
is system dependent, user dependent, hardware dependent, random external
sources such as the network and the user.  If anyone has specific
suggestions I would love to hear them so that we can do a better job.

> "Netscape has also begun to engage an external group of world-class
> security experts who will review our solution to this problem before
> it is sent to customers."
> 
> 	A group which offered to review the first version, but
> Netscape refused.

  Do you mean that cypherpunks offered to review the netscape code
if only we made all the source available on the net?  I think that it
is unrealistic to expect us to release all of our source code to the
net.  

  We will be having at least some of our code reviewed by a
wider audience, but I don't yet know which code, or how wide a review
group.  If anyone has specific suggestions for pieces of code that
you would like to see widely reviewed (such as RNG and seed generation)
let me know.

  I realize that some cypherpunks think that we should make all of
our code publicly available.  In an ideal world that would be great,
but we live in a world with politicians, crooks, lawyers, stockholders,
etc...  Don't expect to see us posting our entire security
library source code to cypherpunks.

> 	From their release it looks like they aren't finding a better
> source of entropy, but just using *more* sources of entropy. Doesn't
> mean that the entropy is good.

  I would love to hear your suggestions for good sources of entropy
on any systems that our products run on.

> 	A T-shirt to the first person to decompile the new Seed code
> and post the sources of "entropy" used.

  Is this offer good for netscape employees?  What if I post the code
without having had to decompile it?   :-)

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.





Thread