Predictable Netscape seed Early versions of
Netscape's
Secure Sockets Layer (SSL) encryption protocol used pseudo-random quantities derived from a PRNG seeded with three variable values: the time of day, the process ID, and the parent process ID. These quantities are often relatively predictable, and so have little
entropy and are less than random, and so that version of SSL was found to be insecure as a result. The problem was reported to Netscape in 1994 by
Phillip Hallam-Baker, then a researcher in the
CERN Web team, but was not fixed prior to release. The problem in the running code was discovered in 1995 by
Ian Goldberg and
David Wagner, who had to
reverse engineer the
object code because Netscape refused to reveal the details of its random number generation (
security through obscurity). That RNG was fixed in later releases (version 2 and higher) by more robust (i.e., more random and so higher entropy from an attacker's perspective) seeding.
Microsoft Windows 2000/XP random number generator Microsoft used an unpublished algorithm to generate random values in older versions of its
Windows operating system. These random quantities are made available to users via the
CryptGenRandom utility. In November 2007, Leo Dorrendorf et al. from the
Hebrew University of Jerusalem and
University of Haifa published a paper titled
Cryptanalysis of the Random Number Generator of the Windows Operating System. The paper presented serious weaknesses in Microsoft's approach at the time. The paper's conclusions were based on
disassembly of the code in
Windows 2000, but according to Microsoft applied to Windows XP as well. Microsoft has stated that the problems described in the paper have been addressed in subsequent releases of Windows, which use a different RNG implementation. One of the generators,
Dual_EC_DRBG, was favored by the
National Security Agency. Dual_EC_DRBG uses
elliptic curve technology and includes a set of recommended constants. In August 2007, Dan Shumow and Niels Ferguson of
Microsoft showed that the constants could be constructed in such a way as to create a
kleptographic backdoor in the algorithm. In September 2013
The New York Times wrote that "the N.S.A. had inserted a back door into a 2006 standard adopted by N.I.S.T... called the Dual EC DRBG standard", thereby revealing that the NSA carried out a malware attack against the American people. In December 2013, Reuters reported that documents released by
Edward Snowden indicated that the
NSA had paid
RSA Security $10 million to make Dual_EC_DRBG the default in their encryption software, and raised further concerns that the algorithm might contain a backdoor for the NSA. Due to these concerns, in 2014, NIST withdrew Dual EC DRBG from its draft guidance on random number generators, recommending "current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible."
MIFARE Crypto-1 Crypto-1 is a cryptosystem developed by
NXP for use on
MIFARE chips. The system is proprietary and originally the algorithm has not been published. Upon reverse engineering of the chip, researchers from the University of Virginia and the
Chaos Computer Club found an attack on Crypto-1 exploiting a poorly initialized random number generator.
Debian OpenSSL In May 2008, security researcher
Luciano Bello revealed his discovery that changes made in 2006 to the random number generator in the version of the
OpenSSL package distributed with
Debian Linux and other Debian-based distributions, such as
Ubuntu, reduced the total entropy to the process id and made a variety of security keys vulnerable to attack. The security weakness was caused by changes made to the openssl code by a Debian developer in response to compiler warnings of accessing
uninitialized memory. ==See also==