[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug crypto/38417] New: gnu.java.security.util.PRNG produces easily pred
From: |
lloyd at randombit dot net |
Subject: |
[Bug crypto/38417] New: gnu.java.security.util.PRNG produces easily predictable values |
Date: |
5 Dec 2008 20:28:45 -0000 |
The PRNG created in gnu.java.security.util.PRNG by PRNG.getInstance will by
default use only the time in milliseconds as the internal seed. This is easily
predictable.
The algorithm itself seems fine (though with some more or less theoretical
flaws, like the fact that it cannot recover from state compromise very well),
but the lack of seeding may be a problem. In particular I note that
g.j.s.u.PRNG is the PRNG class used by code including SRP, generating seed
values for FIPS 186-3 PRNG, the generators for RSA/DSA private keys, and
generating DSS signature k values (which is particularly relevant, since a
design artifact of the DSA algorithm is that if even a single k value along
with the associated signature is leaked or becomes known (or in this case, is
easily guessed), it is easy to derive the private key using simple algebra).
It seems the convention is for each class to instantiate its own PRNG. While
this is in some ways good (at least an attacker might have to guess multiple
timestamps), it also prevents the user from doing more thorough seeding (for
instance reading some bits from /dev/random) and feeding it into the PRNG.
I have written some proof of concept code that easily was able to replicate
values produced by the PRNG, using nothing other knowing the current time and
searching outward from there. Since there are less than 2**35 milliseconds
values in any particular year, it should not be too hard for an attacker to be
able to enumerate, for instance, all RSA keys that GNU classpath might possibly
have created in 2008.
I did testing with whatever version of classpath is included in GCC 4.3.2, but
0.97.2 looks unchanged in this regard.
--
Summary: gnu.java.security.util.PRNG produces easily predictable
values
Product: classpath
Version: 0.97.2
Status: UNCONFIRMED
Severity: critical
Priority: P3
Component: crypto
AssignedTo: csm at gnu dot org
ReportedBy: lloyd at randombit dot net
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
- [Bug crypto/38417] New: gnu.java.security.util.PRNG produces easily predictable values,
lloyd at randombit dot net <=
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, lloyd at randombit dot net, 2008/12/05
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, lloyd at randombit dot net, 2008/12/05
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, lloyd at randombit dot net, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, neugens at limasoftware dot net, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, lloyd at randombit dot net, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, neugens at limasoftware dot net, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, lloyd at randombit dot net, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, csm at gnu dot org, 2008/12/08
- [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values, gnu_andrew at member dot fsf dot org, 2008/12/19