Bugtraq mailing list archives
Re: Comments re ISC's announcement on bind9 security
From: Henrik Langos <hlangos-bugtraq () innominate com>
Date: Thu, 1 Nov 2007 13:17:40 +0100
Dear Shane, I have no deep insight into the development of bind8/9, nor do I follow their security track record close enough to judge any of your points regarding its security. I beg to differ on a point of terminology though. On Wed, Oct 31, 2007 at 02:44:35PM +0100, Shane Kerr wrote:
My own take on it is that "crypto" implies that information is hidden in some way.
The "information hidden in some way" is the next sequence number. Since you are using a PRNG in a open source application, there is no secret in the algorithm but only in inner state of your PRNG, which is determined from its initial state and the number of rounds it has been going for. (simplifying a bit here) If the claim is true that the next sequence number generated by the PRNG of bind9 can be guessed after seeing about a dozen of them, than the "hidden information" is revealed to an attacker. This to me seems to validate usage of the term "weak crypto".
Not all security-related technology is cryptography. For instance, putting per-user limits on resources prevents certain kinds of denial-of-service attacks, but it is certainly not "crypto". Because a lot of techniques in cryptography require good random numbers, it has been widely studied by cryptographers. Therefore if you want a good pseudo-random number generator, it is probably a good idea to see what the state of the art in the cryptography field is. But random number generation is not "crypto" any more than using a series of bit shift and XOR operations is crypto.
You are right about the fact that not all security-related technology is cryptography. And you would even be right if you had said that not all random number generation is cryptography. If I had a device that generated true random numbers, I wouldn't call that device a "crypto" device. But _pseudo_ random number generators used for _security purposes_ (and the sequence number is a security mechanism, right?) decidedly are crypto. Best regards -h.langos -- Speaking for myself and myself only. <Insert your favourite disclaimer here>
Current thread:
- Re: Comments re ISC's announcement on bind9 security Henrik Langos (Nov 01)
- <Possible follow-ups>
- Re: Comments re ISC's announcement on bind9 security Network Protocol Security (Nov 01)
- Re: Re: Comments re ISC's announcement on bind9 security ntn (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 01)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Shane Kerr (Nov 02)
- Re: Comments re ISC's announcement on bind9 security Tim (Nov 05)
- Re: Comments re ISC's announcement on bind9 security Theo de Raadt (Nov 01)