Re: SecureW2 TLS security problem

[Simon Josefsson <jas () extundo com>]

Tom Rixom of Alfa & Ariss swiftly responded to this, and they have now
released a new version, available from:

http://www.securew2.com/uk/download/

A brief inspection reveal that it uses CryptGenRandom from Microsoft
Enhanced CSP, documented as follows in:

http://csrc.nist.gov/cryptval/140-1/140sp/140sp238.pdf

   The CryptGenRandom function fills a buffer with random bytes. The
   random number generation algorithm is the SHS based RNG from FIPS
   186. During the function initialization, a seed, to which SHA-1 is
   applied to create the output random, is created based on the
   collection of all the data listed in the Miscellaneous section.

The source code of that function isn't available, as far as I know, so
the trust of the PMS random numbers in SecureW2 now lie in Microsoft
instead of the known weak srand seeded by local time.  It is difficult
to see how that would be worse than before, though.

FYI, the "Miscellaneous section" of the document contain the
following:

   The Collection of Data Used to Create a Seed for Random Number

   To create a seed for its random number generator, RSAENH
   concatenates many different source of information. Each piece of
   information is concatenated together, and the resulting byte stream
   is hashed with SHA-1 to produce a 20-byte seed value that is used
   in generating random numbers (according to FIPS 186-2 appendix 3.1
   with SHA-1 as the G function).

   • The process ID of the current process requesting random data
   • The thread ID of the current thread within the process requesting random data
   • A 32bit tick count since the system boot
   • The current local date and time
   • The current system time of day information consisting of the boot time, current time, time zone
...
plus many more sources.

I wonder if anybody has quantified the amount of entropy that could
realistically be extracted from the mentioned sources.

Regards,
Simon

Simon Josefsson <jas () extundo com> writes:

> Hi everyone!  I was looking at the code for a TLS implementation, an
> open source implementation "SecureW2" by Alfa & Ariss, see:
>
> http://www.securew2.com/uk/index.htm
>
> I found that it uses weak random numbers when generating the
> pre-master-secret.  The code is in "./Components/Common/release
> 3/version 0/source/CommonTLS.c" and quoted below.
>
> It appear to be using the weak srand/rand functions seeded by the
> milliseconds field from the system clock.  That doesn't provide you
> with 48 bytes of strong randomness, you are lucky to get even a few
> bytes.
>
> Regards,
> Simon
>
> //
> // Name: TLSGenPMS
> // Description: Generate the 48 random bytes for the PMS (Pre Master Secret)
> // Author: Tom Rixom
> // Created: 17 December 2002
> //
> DWORD
> TLSGenPMS( IN OUT BYTE pbPMS[TLS_PMS_SIZE] )
> {
>         int                             i = 0;
>         SYSTEMTIME              SystemTime;
>         DWORD                   dwRet;
>
>         dwRet = NO_ERROR;
>
>         AA_TRACE( ( TEXT( "TLSGenPMS" ) ) );
>
>         pbPMS[0] = 0x03;
>         pbPMS[1] = 0x01;
>
>         //
>         // Time (DWORD)
>         //
>         GetLocalTime( &SystemTime );
>
>         srand( ( unsigned int ) SystemTime.wMilliseconds );
>
>         //srand( ( unsigned )time( NULL ) );
>
>         //
>         // Random bytes
>         //
>         for( i=2; i < TLS_PMS_SIZE; i++ )
>                 pbPMS[i] = ( BYTE ) ( rand() % 255 );
>
>         AA_TRACE( ( TEXT( "TLSGenPMS::random bytes: %s" ), AA_ByteToHex( pbPMS, TLS_PMS_SIZE ) ) );
>
>         return dwRet;
> }
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/