Bugtraq mailing list archives

Re: VNC authentication weakness

From: Nate Lawson <nate () cryptography com>
Date: Mon, 29 Jul 2002 15:13:25 -0700

At 02:16 AM 7/28/2002 -0600, Theo de Raadt wrote:

> Does anyone have a better solution that doesn't involve calling
> entropy-gathering routines from all over the program or running a
> continuous entropy-gathering thread?  Are there any big problems in
> this solution, other than that it only has (by my pessimistic
> estimates) about 28 bits of entropy if my "thousandlists" trick isn't
> really very effective?  28 bits is probably sufficient for my
> purposes.  Is there some much simpler solution I could have more
> confidence in?

Yes.

OpenBSD has /dev/arandom, kernel arc4random(), and libc arc4random(3)
which load a chunk from the real random pool when needed, persistantly
permit reuse of that pool without having to rely on new entropy, and
automatically reseeds that pool when we perceive that the quality of
it may be dropping.  This type of pool is ideal for use as chaff,
random ids, etc.

It's the right solution for the problem you (and many others) face:
Where is a very cheap source of fairly strong random data that does
not deplete the critical resource of very strong random in the kernel
pool.

To be more specific, there are two things you need in a challengevalue: uniqueness and unpredictability. Lack of uniqueness allows anattacker to replay a past response to a future challenge. Predictabilityallows an attacker to pre-fetch a correct future response from one of theparties.

A counter provides perfect uniqueness (up to its maximum range) but easypredictability. A physical random source provides great unpredictabilitybut only statistical uniqueness (again based on its maximum range ofvalues). In between is a PRNG seeded with a strong random source --statistically unique (based on its range minus any biases in the generator)and unpredictable but leaks information about the seed with eachoutput. To get around these limitations, implementers either reseedperiodically (as Theo suggests) or put a limit on the number of challengesthat can be output (say if the seed is fixed at manufacture and no physicalrandom source is available). The latter is open to a DoS attack but can beacceptable in some environments.

Please note that these are general observations, not an endorsement of aparticular system.


-Nate

Current thread:

Re: VNC authentication weakness, (continued)
- Re: VNC authentication weakness Jack Lloyd (Jul 25)
  - Re: VNC authentication weakness Constantin Kaplinsky (Jul 26)
- Re: VNC authentication weakness Andreas Beck (Jul 25)
  - Re: VNC authentication weakness David Wagner (Jul 25)
    - Re: VNC authentication weakness Mitch Adair (Jul 26)
    - Re: VNC authentication weakness Jose Nazario (Jul 26)
    - Re: VNC authentication weakness Ariel Waissbein (Jul 27)
- RE: VNC authentication weakness Andrew van der Stock (Jul 26)
- Re: VNC authentication weakness Kragen Sitaker (Jul 28)
  - Re: VNC authentication weakness Theo de Raadt (Jul 29)
    - Re: VNC authentication weakness Nate Lawson (Jul 29)
    - Re: VNC authentication weakness Mike Porter (Jul 30)
  - Re: VNC authentication weakness David Wagner (Jul 29)
    - Re: VNC authentication weakness David Malone (Jul 30)