[erlang-questions] Yaws security alert - Yaws 1.93

Geoff Cant <>
Wed Jun 20 23:37:44 CEST 2012


On 2012-06-20, at 14:17 , Claes Wikstrom wrote:

> On 06/20/2012 11:10 PM, Geoff Cant wrote:
>> Hi Klake,
>> 
>> Is the problem related to predictable seeding of random (set to {A,B,C} =
>> erlang:now() at some point) or is it a bigger break in taking a series of
>> outputs from random:uniform and working out the internal state from that?
>> Just trying to figure out if kallez's attack is a brute force discovery of a
>> weak seed, or if it's a more complete break of the generator itself given an
>> unknown seed.
>> 
>> Cheers,
> 
> 
> It's not, Yaws was using the seed as in
> 
> 
>    {X,Y,Z} = seed(),
> 
> ...
> 
> 
> seed() ->
>    case (catch list_to_binary(
>                  os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
>        <<X:32, Y:32, Z:32>> ->
>            {X, Y, Z};
>        _ ->
>            now()
>    end.
> 
> 
> The problem is much deeper, it's the random algorithm itself. It's said that
> it's cryptographically weak - now I've seen how weak. Very weak.


That's pretty neat indeed then (as an attack, not so great for anyone using random:uniform for any crypto-ish purpose). I'd love to look at a description of the break if one becomes available.

Cheers,
--
Geoff Cant







More information about the erlang-questions mailing list