1996-02-22 - Re: Kerberos vulnerability
Header Data
From: Julian Assange <proff@suburbia.net>
To: an5877@anon.penet.fi
Message Hash: d99d72c9fbd9dc1076cd7cfad823ab1b770acd93c2b375389892d5e5be63ce74
Message ID: <199602220606.RAA04537@suburbia.net>
Reply To: <9602210339.AA22431@anon.penet.fi>
UTC Datetime: 1996-02-22 06:07:59 UTC
Raw Date: Wed, 21 Feb 96 22:07:59 PST
Raw message
From: Julian Assange <proff@suburbia.net>
Date: Wed, 21 Feb 96 22:07:59 PST
To: an5877@anon.penet.fi
Subject: Re: Kerberos vulnerability
In-Reply-To: <9602210339.AA22431@anon.penet.fi>
Message-ID: <199602220606.RAA04537@suburbia.net>
MIME-Version: 1.0
Content-Type: text
> -----BEGIN PGP SIGNED MESSAGE-----
>
> A Kerberos V4 session key is chosen by calling random() repeatedly.
> THe PRNG is seeded with srandom(time.tv_usec ^ time.tv_sec ^ p ^ n++),
> where p is a static integer set to getpid() ^ gethostid() on the first
> call and n is a static counter.
>
> Is there any entropy here??? Most, if not all, Kerberos servers run one
> time synchronization protocol or another, which reduces the entropy to a
> few bits at most.
>
> DEADBEAT <na5877@anon.penet.fi>
usec grainlessness typically doesn't approach anything like a usec on most
OS implimentations either.
--
+----------------------------------+-----------------------------------------+
|Julian Assange | "if you think the United States has |
|FAX: +61-3-9819-9066 | stood still, who built the largest |
|EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+
Thread
Return to February 1996
- Return to “an5877@anon.penet.fi (deadbeat)”
Return to “Julian Assange <proff@suburbia.net>”
- 1996-02-21 (Wed, 21 Feb 1996 16:42:51 +0800) - Kerberos vulnerability - an5877@anon.penet.fi (deadbeat)
- 1996-02-22 (Wed, 21 Feb 96 22:07:59 PST) - Re: Kerberos vulnerability - Julian Assange <proff@suburbia.net>