Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: SecureW2 TLS security problem
From: Simon Josefsson <jas () extundo com>
Date: Tue, 04 Oct 2005 15:08:40 +0200

Tom Rixom of Alfa & Ariss swiftly responded to this, and they have now
released a new version, available from:


A brief inspection reveal that it uses CryptGenRandom from Microsoft
Enhanced CSP, documented as follows in:


   The CryptGenRandom function fills a buffer with random bytes. The
   random number generation algorithm is the SHS based RNG from FIPS
   186. During the function initialization, a seed, to which SHA-1 is
   applied to create the output random, is created based on the
   collection of all the data listed in the Miscellaneous section.

The source code of that function isn't available, as far as I know, so
the trust of the PMS random numbers in SecureW2 now lie in Microsoft
instead of the known weak srand seeded by local time.  It is difficult
to see how that would be worse than before, though.

FYI, the "Miscellaneous section" of the document contain the

   The Collection of Data Used to Create a Seed for Random Number

   To create a seed for its random number generator, RSAENH
   concatenates many different source of information. Each piece of
   information is concatenated together, and the resulting byte stream
   is hashed with SHA-1 to produce a 20-byte seed value that is used
   in generating random numbers (according to FIPS 186-2 appendix 3.1
   with SHA-1 as the G function).

   • The process ID of the current process requesting random data
   • The thread ID of the current thread within the process requesting random data
   • A 32bit tick count since the system boot
   • The current local date and time
   • The current system time of day information consisting of the boot time, current time, time zone
plus many more sources.

I wonder if anybody has quantified the amount of entropy that could
realistically be extracted from the mentioned sources.


Simon Josefsson <jas () extundo com> writes:

Hi everyone!  I was looking at the code for a TLS implementation, an
open source implementation "SecureW2" by Alfa & Ariss, see:


I found that it uses weak random numbers when generating the
pre-master-secret.  The code is in "./Components/Common/release
3/version 0/source/CommonTLS.c" and quoted below.

It appear to be using the weak srand/rand functions seeded by the
milliseconds field from the system clock.  That doesn't provide you
with 48 bytes of strong randomness, you are lucky to get even a few


// Name: TLSGenPMS
// Description: Generate the 48 random bytes for the PMS (Pre Master Secret)
// Author: Tom Rixom
// Created: 17 December 2002
        int                             i = 0;
        SYSTEMTIME              SystemTime;
        DWORD                   dwRet;

        dwRet = NO_ERROR;

        AA_TRACE( ( TEXT( "TLSGenPMS" ) ) );

        pbPMS[0] = 0x03;
        pbPMS[1] = 0x01;

        // Time (DWORD)
        GetLocalTime( &SystemTime );

        srand( ( unsigned int ) SystemTime.wMilliseconds );

        //srand( ( unsigned )time( NULL ) );

        // Random bytes
        for( i=2; i < TLS_PMS_SIZE; i++ )
                pbPMS[i] = ( BYTE ) ( rand() % 255 );

        AA_TRACE( ( TEXT( "TLSGenPMS::random bytes: %s" ), AA_ByteToHex( pbPMS, TLS_PMS_SIZE ) ) );

        return dwRet;
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]