(A Javascript-enabled browser is required to email me.)

TBTF for 1995-09-20: The men who broke the bank at Netscape

Keith Dawson (dawson dot tbtf at gmail dot com)
Wed, 20 Sep 95 8:34:47 EDT



A quickie from the road. I'm in New York at the Unix Expo show at the wrong
end of a 14.4 Kbaud pipe, so no digital signature this time.

If you recall, a couple of weeks ago a French researcher broke the 40-bit,
RSA-based encryption used by Netscape in its secure client-server transac-
tions. It was a theoretical victory, because the cracker used on the order
of 10**5 MIPS-years of computer power in a brute-force attack to decode a
single message; the way the encryption is implemented, every transaction
uses a new randomly generated session key.

Now two computer science grad students at UC Berkeley have broken Netscape
for real. Using publicly available programmer's documentation, they made
some deductions about the way Netscape generates the random seed for each
session key, greatly reducing the solution space they needed to check in
order to crack a message. They were able to decode a message in under a
minute of computer time -- achieving something like a factor of 10**10
greater efficiency than the brute-force solution. Ian Goldberg and David
Wagner announced their accomplishment on the Cypherpunks newsgroup Sunday
evening 9/17; the New York Times broke the story Tuesday morning 9/19.

Current versions of Netscape, 1.1 and 1.1N, thus are vulnerable to a de-
termined cryptographic attack. It turns out that Netscape was using a time-
stamp and some other pieces of easily obtained information (on Unix systems,
the running program's process ID and parent process ID) to construct a 30-
bit seed on the way to generating a 40-bit session key. Netscape has pro-
mised to fix the flaw and to release new versions of their currently shipping
Netscape Navigator browsers (and presumably also of their secure servers).
The security flaw is also present in early beta versions of Netscape's new
browser release, 2.0, and it will need to be fixed there too. The fix is
said to involve a new algorithm with a 300-bit random seed. Netscape has
been consulting with RSA Data Security on the fix, something they did not
do before releasing the flawed implementation.

What does it all mean? Two smart guys have proved that online transactions
were less secure than claimed, and the problem is getting fixed. But surely
online transactions never were less secure than the common practice of read-
ing out your credit-card number to a stranger over the phone, or punching in
your PIN at an outdoor ATM machine. The world will not end just yet.

For Netscape's press release about these events see http://home.netscape.com/newsref/std/random_seed_security.html.


TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com.
______________________________________________________
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.