From: Jeff Weinstein <jsw@netscape.com>
To: pgut001@cs.auckland.ac.nz
Message Hash: fa0541b4ba1659aea11be34748ab595525834e70ab8cde04df26c4a0c756d51a
Message ID: <3249833B.3EEE@netscape.com>
Reply To: <84366802803808@cs26.cs.auckland.ac.nz>
UTC Datetime: 1996-09-25 22:44:10 UTC
Raw Date: Thu, 26 Sep 1996 06:44:10 +0800
From: Jeff Weinstein <jsw@netscape.com>
Date: Thu, 26 Sep 1996 06:44:10 +0800
To: pgut001@cs.auckland.ac.nz
Subject: Re: [Long] How to break Netscape's server key encryption
In-Reply-To: <84366802803808@cs26.cs.auckland.ac.nz>
Message-ID: <3249833B.3EEE@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain
pgut001@cs.auckland.ac.nz wrote:
>
> The Netscape server key format is very susceptible to both a dictionary attack
> and to keystream recovery. It uses the PKCS #8 format for private keys, which
> provides a large amount of known plaintext at the start of the data, in
> combination with RC4 without any form of IV or other preprocessing (even though
> PKCS #8 recommends that PKCS #5 password-based encryption be used), which means
> you can recover the first 100-odd bytes of key stream with a simple XOR (the
> same stupid mistake Microsoft made with their .PWL files). This means two
> things:
>
> 1. It's very simple to write a program to perform a dictionary attack on the
> server key (it took me about half an hour using cryptlib, and another half
> hour to rip the appropriate code out of cryptlib to create a standalone
> program).
>
> 2. The recovered key stream from the encrypted server key can be used to
> decrypt any other resource encrypted with the server password, *without
> knowing the password*. This is because there's enough known plaintext
> (ASN.1 objects, object identifiers, and public key components) at the start
> of the encrypted data to recover large quantities of key stream.
Peter,
The attack you describe is indeed possible with the Netscape Commerce Server
1.x. However current Netscape products, such as Navigator, Enterprise Server,
and FastTrack Server, have improved private key encryption that prevents
these types of attacks. Note that the old key handling code is of the
same vintage as the random number seed code that was shown to be weak last
year (from before I got here). I recognized this particular problem
quite some time ago, and fixed all of the products that were then in
development.
If someone is running the old Commerce Server, and is not confident
that the file system of their server machine can not be accessed by
attackers, I would recommend that they upgrade to the FastTrack or
Enterprise servers.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
Return to September 1996
Return to “pgut001@cs.auckland.ac.nz”