---------- Forwarded message ---------- Date: Mon, 25 Sep 1995 09:32:20 -0700 From: Taher ElGamal <elgamal@netscape.com> To: www-security@ns2.rutgers.edu Subject: Random seed We are in the process of implementing the fix to our recently discovered security vulnerability. The fix is largely system dependent and we want to enlist the help of your best technical people to insure that we're doing everything we can to fix the problem. Please forward the enclosed proposal to the appropriate technical people inside your company as soon as possible and urge them to respond as quickly as possible. We are moving to fix this very quickly in our software, the next 24 hours are crtitical and your feedback in that timeframe would be most appreciated. Please send all feedback to elgamal@netscape.com. Thanks, Please see ftp://ftp1.netscape.com/pub/review/RNGsrc.tar.Z, for the soirce. Any feedback is welcome. Feel free t redistribute this message to anyone. Enclosed is our proposal for addressing the need of finding more sources of random information in your system's environment. Netscape is available on Macs, Win-16 and Win-32 versions and 8 different UNIX platforms. The exact details for each platform are quite system specific. The basic idea is to feed a sequence of information into the MD5 hash, expecting that some of the bits for each sub-sequence would be unguessable. At program start On all platforms: Start with the contents of the highest resolution clock we can find on the system. [For instance, an R4000 MIPS processor has a free-running instruction counter. At 100 Mhz this gets incremented every 10 nano-seconds. There are probably a good 20 bits of unguessable value there.] On Macs there are "tick" counters that update 60 (or maybe only 16) times a second. We then push through the time of day, because on some sytems, the microsecond part of a time_val has some bits that are only guessable. On Windows systems, there is a 1.28MHz clock that is updated every 0.8 microsec. For the first 100 to 500 system events, the high frequency clock is recorded and fed into the hash function. This is done to generate enough unpredictable bits for an out-of-the-box experience, where the customer does not have enough unpredictability in the system info. For UNIX we feed the following into the MD5 hash: ps (-el or aux depending upon system) netstat -ni & netstat -na the user's environment. (We will certainly use this as well in the 2.0 release. The truly paranoid will be able to run whatever seed generator they want and stick the result into their environment. How you protect your environment from attack is up to you. ;-) System specific info such as hardware serial number or system id. If you have specific suggestions for any particular OS/hardware pair, please let me know. For PCs Cursor position Global memory status FreeSpace Drive configuration Number of running tasks Environment strings UUIDCreate if there is an ethernet card Clipboard owner and contents Current process, processID and window Free clusters on the disk For MACs: Machine location (longitude and latitude) User name Mouse location keyboard time threshhold last key pressed audio volume current directory current process process information for every task on the system stack limits zones scrap sizes and counts event queue And then on all platforms The stat (file access, creation, modify times, size, inode equivalent) and contents of a number of "interesting" files. [Where is the PGP random number state file stored?] A portion of the contents of the screen. And finally, the contents of the highest resolution clock we can find. Each time the client goes idle Reinitialize the seed with the most recent user event (probably a button or key down) along with the mouse position, and and relatively high resolution clocks. Taher Elgamal elgamal@netscape.com Chief Scientist Netscape Comm Corp., 501 E Middlefield Road, Mountain View Ca 94043. (415) 528 2898 (Tel), (415) 528 4122 (Fax)