| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ilu4q7x5t0n.fsf@latte.josefsson.org>
Date: Tue Oct 4 14:35:08 2005
From: jas at extundo.com (Simon Josefsson)
Subject: Re: SecureW2 TLS security problem
Tom Rixom of Alfa & Ariss swiftly responded to this, and they have now
released a new version, available from:
http://www.securew2.com/uk/download/
A brief inspection reveal that it uses CryptGenRandom from Microsoft
Enhanced CSP, documented as follows in:
http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf
The CryptGenRandom function fills a buffer with random bytes. The
random number generation algorithm is the SHS based RNG from FIPS
186. During the function initialization, a seed, to which SHA-1 is
applied to create the output random, is created based on the
collection of all the data listed in the Miscellaneous section.
The source code of that function isn't available, as far as I know, so
the trust of the PMS random numbers in SecureW2 now lie in Microsoft
instead of the known weak srand seeded by local time. It is difficult
to see how that would be worse than before, though.
FYI, the "Miscellaneous section" of the document contain the
following:
The Collection of Data Used to Create a Seed for Random Number
To create a seed for its random number generator, RSAENH
concatenates many different source of information. Each piece of
information is concatenated together, and the resulting byte stream
is hashed with SHA-1 to produce a 20-byte seed value that is used
in generating random numbers (according to FIPS 186-2 appendix 3.1
with SHA-1 as the G function).
? The process ID of the current process requesting random data
? The thread ID of the current thread within the process requesting random data
? A 32bit tick count since the system boot
? The current local date and time
? The current system time of day information consisting of the boot time, current time, time zone
...
plus many more sources.
I wonder if anybody has quantified the amount of entropy that could
realistically be extracted from the mentioned sources.
Regards,
Simon
Simon Josefsson <jas@...undo.com> writes:
> Hi everyone! I was looking at the code for a TLS implementation, an
> open source implementation "SecureW2" by Alfa & Ariss, see:
>
> http://www.securew2.com/uk/index.htm
>
> I found that it uses weak random numbers when generating the
> pre-master-secret. The code is in "./Components/Common/release
> 3/version 0/source/CommonTLS.c" and quoted below.
>
> It appear to be using the weak srand/rand functions seeded by the
> milliseconds field from the system clock. That doesn't provide you
> with 48 bytes of strong randomness, you are lucky to get even a few
> bytes.
>
> Regards,
> Simon
>
> //
> // Name: TLSGenPMS
> // Description: Generate the 48 random bytes for the PMS (Pre Master Secret)
> // Author: Tom Rixom
> // Created: 17 December 2002
> //
> DWORD
> TLSGenPMS( IN OUT BYTE pbPMS[TLS_PMS_SIZE] )
> {
> int i = 0;
> SYSTEMTIME SystemTime;
> DWORD dwRet;
>
> dwRet = NO_ERROR;
>
> AA_TRACE( ( TEXT( "TLSGenPMS" ) ) );
>
> pbPMS[0] = 0x03;
> pbPMS[1] = 0x01;
>
> //
> // Time (DWORD)
> //
> GetLocalTime( &SystemTime );
>
> srand( ( unsigned int ) SystemTime.wMilliseconds );
>
> //srand( ( unsigned )time( NULL ) );
>
> //
> // Random bytes
> //
> for( i=2; i < TLS_PMS_SIZE; i++ )
> pbPMS[i] = ( BYTE ) ( rand() % 255 );
>
> AA_TRACE( ( TEXT( "TLSGenPMS::random bytes: %s" ), AA_ByteToHex( pbPMS, TLS_PMS_SIZE ) ) );
>
> return dwRet;
> }
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists