On Fri, Nov 28, 2008 at 12:49:27PM -0500, Perry E. Metzger wrote: > > As it turns out, cryptographic pseudorandom number generators continue > to be a good place to look for security vulnerabilities -- see the > enclosed FreeBSD security advisory. > > The more things change, the more they stay the same...
I think the situation is even worse outside of the major projects (the OS kernels crypto implementations and the main crypto libraries). I think outside of those, nobody is even really looking. For instance - This afternoon I took a look at a C++ library called JUCE which offers (among a pile of other things) RSA and Blowfish. However it turns out that all of the RSA keys are generated with an LCRNG (lrand48, basically) seeded with the time in milliseconds. http://www.randombit.net/bitbashing/security/juce_rng_vulnerability.html Also I found GNU Classpath has a PRNG that does something similiar, though at least it has the decency to use SHA-1 instead of an LCRNG. Unfortunately this is the same PRNG class that is used to generate RSA/DSA private keys and DSA's k values, and it is not even possible (AFAICT) for an application developer to add additional seed data in. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417 These are trivially obvious mistakes that have been known (at least in the security community, though clearly not everywhere) for a decade plus, at least since Goldberg and Wagner broke Netscape, and, like classic buffer overflows and SQL injection, new code making the same mistakes keeps getting written. -Jack --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
