[Cryptography] Derive IV from time in ticks.
Phillip Hallam-Baker
phill at hallambaker.com
Mon Feb 6 23:46:49 EST 2023
On Mon, Feb 6, 2023 at 7:49 PM John Gilmore <gnu at toad.com> wrote:
> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > Hence my interest in using ticks.
>
> Ticks are easy for an attacker to predict (use of this and the PID was
> how the Berkeley undergrad cypherpunks broke the RNG in the original
> Netscape browser). See:
>
The timer function is being used as a salt into the KDF so it is not secret
in any way.
I am aware of the Netscape issue which is a hell of a lot more
embarrassing for them than they admitted at the time since immediately
after the MIT meeting when SSL/1,0 was broken, Alan Schiffman expressed
concerns that the RNG they were using was bjorked. After a series of email
exchanges, I finally got Kipp and Marc to understand that 40 bits of
ergodicity into MD5 means 40 bits of ergodicity out of MD5. So they asked
me to send them the design notes for mine.
Immediately after the Berkeley paper came out, I asked Taher what was up
and he said they didn't understand what had happened because the RNG was
the first thing they looked at and the 9 pages of design notes looked
really solid...
Ooops.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230206/f008049f/attachment.htm>
More information about the cryptography
mailing list