Random seed -Reply

• To: elgamal@netscape.com
• Subject: Random seed -Reply
• From: Martin Taylor <m.taylor@ELSEVIER.CO.UK>
• Date: Tue, 26 Sep 1995 14:39:37 +0100
• Cc: www-security@ns2.rutgers.edu

Taher ElGamal <elgamal@netscape.com> wrote:
<.........>
>Enclosed is our proposal for addressing the need of finding more
>sources of random information in your system's environment.
<.........>
Just my twopence worth: have you examined the validity of these
sources in the light of the functionality provided by the Java language in
Netscape 2.0? I imagine that a number of the sources are readable by a
Java applet - you will be better able than I, I think, to gauge how this may
compromise them as "unknowns". The sort of attack I envisage would
involve a rogue applet mailing back the state of these items to a third
party. Is this possible in principle?
Re your query on PGP: the seed file is RANDSEED.BIN. Incidentally, I'm
sure you're aware that PGP relies mostly on key depressions for its
random input. I appreciate it would be difficult to do this to the same
degree in Netscape, but there might perhaps be scope for some analysis
of keyboard/mouse event timing at the start of a Netscape run.
Martin Taylor

• Previous: ANNOUNCE: Fourth W3C Security WG Meeting, October 10
• Next: re: Random seed
• Index(es):
  • Index
  • Thread