oss-sec mailing list archives
Re: CVE for crypto_get_random() from libsrtp
From: Michael Samuel <mik () miknet net>
Date: Fri, 21 Aug 2015 12:58:11 +1000
Hi, On 11 August 2015 at 17:51, Adam Maris <amaris () redhat com> wrote:
The weakest method it provides uses no encryption at all, just HMAC-SHA1 with 80 bit authentication tag: http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g94d0056e812802ac2920aa474bc5b59b.html
That's only for SRTP packets - the PRNG itself seems not obviously broken (again - unless it's used by multiple threads). Regards, Michael
Current thread:
- CVE for crypto_get_random() from libsrtp Adam Maris (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Scott Arciszewski (Jul 31)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 01)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Jeremy Stanley (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Adam Maris (Aug 11)
- Re: CVE for crypto_get_random() from libsrtp Michael Samuel (Aug 20)