Full Disclosure mailing list archives
Re: SecureW2 TLS security problem
From: Simon Josefsson <jas () extundo com>
Date: Tue, 04 Oct 2005 15:08:40 +0200
Tom Rixom of Alfa & Ariss swiftly responded to this, and they have now released a new version, available from: http://www.securew2.com/uk/download/ A brief inspection reveal that it uses CryptGenRandom from Microsoft Enhanced CSP, documented as follows in: http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf The CryptGenRandom function fills a buffer with random bytes. The random number generation algorithm is the SHS based RNG from FIPS 186. During the function initialization, a seed, to which SHA-1 is applied to create the output random, is created based on the collection of all the data listed in the Miscellaneous section. The source code of that function isn't available, as far as I know, so the trust of the PMS random numbers in SecureW2 now lie in Microsoft instead of the known weak srand seeded by local time. It is difficult to see how that would be worse than before, though. FYI, the "Miscellaneous section" of the document contain the following: The Collection of Data Used to Create a Seed for Random Number To create a seed for its random number generator, RSAENH concatenates many different source of information. Each piece of information is concatenated together, and the resulting byte stream is hashed with SHA-1 to produce a 20-byte seed value that is used in generating random numbers (according to FIPS 186-2 appendix 3.1 with SHA-1 as the G function). • The process ID of the current process requesting random data • The thread ID of the current thread within the process requesting random data • A 32bit tick count since the system boot • The current local date and time • The current system time of day information consisting of the boot time, current time, time zone ... plus many more sources. I wonder if anybody has quantified the amount of entropy that could realistically be extracted from the mentioned sources. Regards, Simon Simon Josefsson <jas () extundo com> writes:
Hi everyone! I was looking at the code for a TLS implementation, an open source implementation "SecureW2" by Alfa & Ariss, see: http://www.securew2.com/uk/index.htm I found that it uses weak random numbers when generating the pre-master-secret. The code is in "./Components/Common/release 3/version 0/source/CommonTLS.c" and quoted below. It appear to be using the weak srand/rand functions seeded by the milliseconds field from the system clock. That doesn't provide you with 48 bytes of strong randomness, you are lucky to get even a few bytes. Regards, Simon // // Name: TLSGenPMS // Description: Generate the 48 random bytes for the PMS (Pre Master Secret) // Author: Tom Rixom // Created: 17 December 2002 // DWORD TLSGenPMS( IN OUT BYTE pbPMS[TLS_PMS_SIZE] ) { int i = 0; SYSTEMTIME SystemTime; DWORD dwRet; dwRet = NO_ERROR; AA_TRACE( ( TEXT( "TLSGenPMS" ) ) ); pbPMS[0] = 0x03; pbPMS[1] = 0x01; // // Time (DWORD) // GetLocalTime( &SystemTime ); srand( ( unsigned int ) SystemTime.wMilliseconds ); //srand( ( unsigned )time( NULL ) ); // // Random bytes // for( i=2; i < TLS_PMS_SIZE; i++ ) pbPMS[i] = ( BYTE ) ( rand() % 255 ); AA_TRACE( ( TEXT( "TLSGenPMS::random bytes: %s" ), AA_ByteToHex( pbPMS, TLS_PMS_SIZE ) ) ); return dwRet; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SecureW2 TLS security problem Simon Josefsson (Oct 04)
- Re: Re: SecureW2 TLS security problem Valdis . Kletnieks (Oct 04)
- Re: Re: SecureW2 TLS security problem Yvan Boily (Oct 04)
- Re: SecureW2 TLS security problem Simon Josefsson (Oct 06)
- Re: Re: SecureW2 TLS security problem Yvan Boily (Oct 04)
- Re: Re: SecureW2 TLS security problem Valdis . Kletnieks (Oct 04)