However, since CPUs are deterministic, it is impossible to algorithmically generate truly random numbers. Barring the use of external devices, computer programs that need random numbers must generate these numbers themselves. The only truly random number sources are those related to physical phenomena such as the rate of radioactive decay of an element or the thermal noise of a semiconductor diode. Randomness is not a black-and-white quality: some streams of numbers are more random than others. That the secret keys be generated from an unpredictable random-number source. If an attacker can predict the key's value or even narrow down the number of keys that must be tried, the protocol can be broken with much less effort than if truly random keys had been used. The security of SSL, like that of any other cryptographic protocol, depends crucially on the unpredictability of this secret key. Ultimately, security rests on the infeasibility of trying all possible decryption-key values. Because you can't safely assume that anĮavesdropper doesn't have complete details of the encryption and decryption algorithms, the protocol can be considered secure only if someone who knows all of the details of these algorithms is unable to recover a message without trying every possible key. Although Netscape has fixed these problems in a new version of their browser (as of this writing, NetscapeĒ.0īeta1 and Netscape Navigator 1.22 Security Update are available), these weaknesses provide several lessons for people interested in producing or purchasing secure software.Īt its most basic level, SSL protects communications by encrypting messages with a secret key-a large, random number known only to the sender and receiver. Our study revealed serious flaws in Netscape's implementation of SSL that make it relatively easy for an eavesdropper to decode the encrypted communications. Given the popularity of Netscape's browser and the widespread use of its cryptographic protocol on the Internet, we decided to study Netscape's SSL implementation in detail. Netscape's Web browser supports the Secure Sockets Layer (SSL), a cryptographic protocol developed by Netscape to provide secure Internet transactions. Netscape Communications has been at the forefront of the effort to integrate cryptographic techniques into Web servers and browsers. By encrypting payment information before transmitting it, a customer can ensure that no one except the company from which he is purchasing can decode that sensitive data. Since ordering a product online requires the customer to transmit payment information (such as a credit-card number) from a client program to the company's server program through the Internet, there's need for cryptographic protection. They can be reached at or the World Wide Web gains broad public appeal, companies are becoming interested in using the Web not just to advertise, but also to take orders for their merchandise and services. Ian and David are PhD students in the computer science department at the University of California, Berkeley. Dobb's Journal How secure is the World Wide Web? by Ian Goldberg and David Wagner DDJ, Jan96: Randomness and Netscape Browser Randomness and the Netscape Browser
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |