[Cryptography] Mac OS 10.7.5 Random Numbers

ianG iang at iang.org
Mon Feb 3 05:13:37 EST 2014


On 3/02/14 08:44 AM, Bill Frantz wrote:
> On 2/2/14 at 9:34 PM, agr at me.com (Arnold Reinhold) wrote:
> 
>> Based on the Darwin source code posted at the xnu project, Apple uses
>> the SHA1 version of Yarrow with the 1999 source code from Counterpane
>> essentially unchanged. This give them a 160-bit secret state. An
>> obvious improvement would be to switch to SHA2 or SHA3 with a 256 or
>> 512 bit state, but the Apple source contains this warning:
>>
>> "THIS FILE IS NEEDED TO PASS FIPS ACCEPTANCE FOR THE RANDOM NUMBER
>> GENERATOR.
>> IF YOU ALTER IT IN ANY WAY, WE WILL NEED TO GO THOUGH FIPS ACCEPTANCE
>> AGAIN,
>> AN OPERATION THAT IS VERY EXPENSIVE AND TIME CONSUMING. IN OTHER WORDS,
>> DON'T MESS WITH THIS FILE."


Hmmm.  Apple are famously secret so we'll never hear a peep from them
about their views on it.  I think the mitigation here would be that
although the improvement would be well appreciated for security, and for
a sense of evolving security (which is even more appreciated), I'm not
sure I am seeing the direct danger as yet.  However:


> Adding yet more evidence that FIPS standards work against improved
> security.


Does anyone doubt this?  Seriously?

If so, here's a simple argument.  Attackers have a 1 month OODA loop,
which means they can spin their attack within a month to take benefit of
new attacks.

FIPS has an OODA loop of a decade.  It can't respond.  Its role is to
build the Maginot Line, over and over again.

I suppose we could find evidence for these claims, but who would pay us
for the effort?


> I wonder how much NSA advice had to do with this situation.


The concept of the barrier to entry is well known amongst economic
warriors.  For those seeking cred, it is part of Porter's 5 forces, a
well respected industrial framework.  There is no doubt in my mind that
the NSA is all over this concept.  And indeed we had evidence in that
old FP article of wayback concerning their use of econ weapons against
the South African crypto industry (anyone know where that is?).

The same barrier to entry was used in PKI.  For a long time, browsers
thought an audit was a good idea, not realising that it was a high cost
and easily subvertible.  Then, in the late 2000s, phishing threatened
the browsers, so the vendors banded together in secret to try and find
some way forward.  Smart CAs headed them off at the pass, and absorbed
them into a new association that in the fullness of time multiplied the
barriers by 3-fold or so.  They thus managed to avoid the question of
phishing completely, and to bed the piles of the skyscraper PKI another
100m into the bedrock.

I'm not sure what the current situation is, but last I looked, they
required the old audit, the new base audit and the new EV audit (which
actually required 2 audits), all of it negotiated in secret, with a faux
public presentation afterwards.  NIST is a powerful force there, the
association members don't respond to much in the way of input, but when
NIST decided to get them all to shift up in key size, out of mandate,
they spent way too much focus time on it.  It's basically a big boys
club and the biggest boy in town has more of the power.

It has been claimed by people who would know that the NSA was behind it
all, but I've never seen any evidence of that.  Yet, again, one would
never know;  the association started out in secret, negotiated in secret
and only in the last couple of years added a couple of open enhancements
as figleafs.  Compared to them, IETF working groups are a paragon of
virtue, you can actually see their maillists, join and and get your
disgust on the public record against the 'rough consensus'.

Browser PKI is certainly as close to a setup for NSA control as one
could imagine.



iang


More information about the cryptography mailing list