CPRNGs are still an issue.

Jack Lloyd lloyd at randombit.net
Fri Dec 5 16:00:01 EST 2008

On Fri, Nov 28, 2008 at 12:49:27PM -0500, Perry E. Metzger wrote:
> As it turns out, cryptographic pseudorandom number generators continue
> to be a good place to look for security vulnerabilities -- see the
> enclosed FreeBSD security advisory.
> The more things change, the more they stay the same...

I think the situation is even worse outside of the major projects (the
OS kernels crypto implementations and the main crypto libraries). I
think outside of those, nobody is even really looking. For instance -

This afternoon I took a look at a C++ library called JUCE which offers
(among a pile of other things) RSA and Blowfish. However it turns out
that all of the RSA keys are generated with an LCRNG (lrand48,
basically) seeded with the time in milliseconds.

Also I found GNU Classpath has a PRNG that does something similiar,
though at least it has the decency to use SHA-1 instead of an LCRNG.
Unfortunately this is the same PRNG class that is used to generate
RSA/DSA private keys and DSA's k values, and it is not even possible
(AFAICT) for an application developer to add additional seed data in.

These are trivially obvious mistakes that have been known (at least in
the security community, though clearly not everywhere) for a decade
plus, at least since Goldberg and Wagner broke Netscape, and, like
classic buffer overflows and SQL injection, new code making the same
mistakes keeps getting written.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list