From dawagner@phoenix.princeton.edu Sun Mar 26 19:44:55 EST 1995 Article: 33636 of sci.crypt Newsgroups: sci.crypt Path: princeton!phoenix.princeton.edu!dawagner From: dawagner@phoenix.princeton.edu (David A. Wagner) Subject: Re: Is Netscape's RSA Implementation really secure? Message-ID: <1995Mar27.003647.1340@Princeton.EDU> Originator: news@hedgehog.Princeton.EDU Keywords: netscape rsa encryption Sender: news@Princeton.EDU (USENET News System) Nntp-Posting-Host: phoenix.princeton.edu Organization: Princeton University References: Date: Mon, 27 Mar 1995 00:36:47 GMT Lines: 44 In article , Maynard H. Evans wrote: > > Has anyone besides myself questioned how "secure" Netscape's SSL > (Secure Socket Layer) really is? > I grabbed the SSLRef sources a while ago, but I only gave it a cursory glance, so I don't know much.. The one thing I did notice was that Netscape's method for generating random numbers [including random session keys, challenges, nonces, ...] was really poor: (1) as I recall, the PRNG was seeded with only 20 or 30 bits of entropy, and (2) the PRNG was just random() [or maybe some other really weak non-crypto-strength PRNG -- this is just from memory]. This is kinda troublesome -- anyone with a bit of experience in crypto coding really shouldn't make this mistake, right? On the other hand, maybe it was just an oversight. When I warned them of the potential problem, the Netscape people *did* respond quickly to my email and were very willing to try to do things the right way. That's a good sign. Before you use SSL, you should check that they've fixed the randomness problem. You should also probably check on the key lengths they use. I have no idea what length RSA keys they were using -- it should be 512 bit keys at the minimum. I think they're using 40 bit RC4 keys for session encryption. RC4 is an untested algorithm, and 40 bit keys are short enough to worry a little right now, and way too short to stand up well for the next decade or so. I'd also check how they do public key management -- they've got some kind of certificate system, but I don't know how that part works, and that part is easy to screw up. So anyhow, [from what little I've seen] I'd consider the SSL stuff to be an early release which has lots of potential, but may or may not have gotten everything right quite yet... ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu