[erlang-questions] Yaws security alert - Yaws 1.93

Bob Ippolito bob@REDACTED
Thu Jun 21 02:00:11 CEST 2012


The random module is *very* weak, it has less than 48 bits of state
(Wichmann-Hill 1982). It doesnt really generate results appropriate for
double precision float, and it fails modern test suites for PRNGs, so it's
basically unsuitable for most modern applications. Also, I haven't looked
at Yaws' implementation but the random module only ensures that you have a
good seed if you are using the process dictionary version of the API,
otherwise you have to ensure that each component is non-zero and not an
integer multiple of the prime for that component yourself.

The best alternative is what this version appears to use: the crypto
module. If you need something faster that doesn't have to be safe for
cryptographic purposes you'll have to look outside of OTP.

On Thursday, June 21, 2012, Pablo Platt wrote:

> What are the alternatives?
>
>   ------------------------------
> *From:* Geoff Cant <nem@REDACTED <javascript:_e({}, 'cvml',
> 'nem@REDACTED');>>
> *To:* Claes Wikstrom <klacke@REDACTED <javascript:_e({}, 'cvml',
> 'klacke@REDACTED');>>
> *Cc:* erlang-questions <erlang-questions@REDACTED <javascript:_e({},
> 'cvml', 'erlang-questions@REDACTED');>>
> *Sent:* Thursday, June 21, 2012 12:37 AM
> *Subject:* Re: [erlang-questions] Yaws security alert - Yaws 1.93
>
>
> On 2012-06-20, at 14:17 , Claes Wikstrom wrote:
>
> > On 06/20/2012 11:10 PM, Geoff Cant wrote:
> >> Hi Klake,
> >>
> >> Is the problem related to predictable seeding of random (set to {A,B,C}
> =
> >> erlang:now() at some point) or is it a bigger break in taking a series
> of
> >> outputs from random:uniform and working out the internal state from
> that?
> >> Just trying to figure out if kallez's attack is a brute force discovery
> of a
> >> weak seed, or if it's a more complete break of the generator itself
> given an
> >> unknown seed.
> >>
> >> Cheers,
> >
> >
> > It's not, Yaws was using the seed as in
> >
> >
> >    {X,Y,Z} = seed(),
> >
> > ...
> >
> >
> > seed() ->
> >    case (catch list_to_binary(
> >                  os:cmd("dd if=/dev/urandom ibs=12 count=1
> 2>/dev/null"))) of
> >        <<X:32, Y:32, Z:32>> ->
> >            {X, Y, Z};
> >        _ ->
> >            now()
> >    end.
> >
> >
> > The problem is much deeper, it's the random algorithm itself. It's said
> that
> > it's cryptographically weak - now I've seen how weak. Very weak.
>
>
> That's pretty neat indeed then (as an attack, not so great for anyone
> using random:uniform for any crypto-ish purpose). I'd love to look at a
> description of the break if one becomes available.
>
> Cheers,
> --
> Geoff Cant
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED <javascript:_e({}, 'cvml',
> 'erlang-questions@REDACTED');>
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120620/8824228c/attachment.htm>


More information about the erlang-questions mailing list