Re: qmail starttls patch does not seed the random number generator

From: Jack Lloyd (lloyd@acm.jhu.edu)
Date: 08/15/01

• Previous message: Brian Hatch: "Re: qmail starttls patch does not seed the random number generator"
• In reply to: Wojciech Purczynski: "Re: qmail starttls patch does not seed the random number generator"
• Next in thread: Scott Renfro: "Re: qmail starttls patch does not seed the random number generator"
• Next in thread: Brian Hatch: "Re: qmail starttls patch does not seed the random number generator"
• Reply: Scott Renfro: "Re: qmail starttls patch does not seed the random number generator"
• Reply: D. J. Bernstein: "Re: qmail starttls patch does not seed the random number generator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 15 Aug 2001 13:42:05 -0400 (EDT)
From: Jack Lloyd <lloyd@acm.jhu.edu>
To: Wojciech Purczynski <wp@supermedia.pl>
Subject: Re: qmail starttls patch does not seed the random number generator
Message-ID: <Pine.LNX.4.30.0108151324460.7141-100000@sol.galaxy.acm.jhu.edu>

> The way you fixed the problem is not secure. It works in most cases but it
> may fail in some cases. Your patch does not check for error codes that may
> be returned by open() and if read() returns less characters than 33 your
> code just skips seeding the PRNG without returning any error.
>
> As we can read in kernel sources, open("/dev/urandom") and read() should
> not return error but you can't depend on this if you wan't to provide
> secure fix. If kernel changes your code may become insecure and would need
> to be fixed again and again...

Not to mention the fact that /dev/random on Solaris is a pipe, and thus could
(maybe) return less. Though I've never seen or used the implementation there,
so I couldn't say for sure. But generally you can't rely on the fact that
/dev/urandom is always going to give you as much as you want.

Of course this is ignoring the fact that the only time OpenSSL will seed
itself is precisely when /dev/urandom exists, so the value of this patch is
questionable (but, of course, the fact that qmail doesn't seed the RNG is a
serious error and should probably be fixed).

[from the original post by Felix von Leitner]:
> it completely compromises the cryptographic privacy of TLS encrypted
> emails.

3 points I feel I have to make here:

  1) If you're depending on the fact that your mail server is TLS encrypting
your emails, you're asking for it. Even if it is encrypting everything going
out (which seems unlikely; how many mail servers out there are configured for
TLS SMTP?), more likely than not at some point it will be decrypted and sent
over the wire in plaintext. It's comparable (IMO) to using telnet, on the
assumption that the OS will be using IPSec. Use PGP or S/MIME if you want to
secure your email.

  2) IIRC, OpenSSL adds a few "random" things like pid, uid, time, etc in the
creation of the key (it's possible I'm thinking about some other subsystem, so
somebody tell me if I'm wrong here). But if so, I'd imagine there are at least
25-35 bits of security in the key then. Which is of course quite poor, but it
would take at least a little while to break each session key, which (IMHO) is
more security than you should expect from this (which is precisely that given
by normal mail, none).

  3) Oh, one more thing. An SSL/TLS key is negotiated between the client and
server, and derived from random values sent by each of them. So I don't think
the session keys would actually be vulnerable, unless TLS over SMTP uses some
odd variation from the normal protocol. Unless, of course, both servers were
running a qmail server that wasn't seeding the RNG. :)

Regards,

Jack

---

• Previous message: Brian Hatch: "Re: qmail starttls patch does not seed the random number generator"
• In reply to: Wojciech Purczynski: "Re: qmail starttls patch does not seed the random number generator"
• Next in thread: Scott Renfro: "Re: qmail starttls patch does not seed the random number generator"
• Next in thread: Brian Hatch: "Re: qmail starttls patch does not seed the random number generator"
• Reply: Scott Renfro: "Re: qmail starttls patch does not seed the random number generator"
• Reply: D. J. Bernstein: "Re: qmail starttls patch does not seed the random number generator"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: 5.3-RELEASE: WARNING - WRITE_DMA interrupt timout ... My problem is not related to a SATA controller. ... Everything works pretty well on this server. ... the qmail MTA, an otherwise pretty powerful email program. ... I'm going to apply a patch to qmail in a few days. ... (freebsd-current) Re: write with cURL ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ... (alt.php) Re: NT4 -> Win2K3 question ... disable SMB signing for the Workstation or Server service on a domain ... Get Secure! ... The File Replication Service Event log test ... controller to the following destination domain ... (microsoft.public.windows.server.migration) [OT] Re: RSA implementation, please comment. ... on a separate server is actually a very good idea, ... This web front uses a well defined and secure ... Don't store the private key on the server. ... Every client gets a smartcard for the decryption (or a HSM, ... (comp.lang.perl.misc) Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking? ... File servers aren't secure? ... Access predates Windows security, ... database system has never been updated or kept current. ... the OS-based database server product, ... (microsoft.public.access.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)