[Cryptography] Mac OS 10.7.5 Random Numbers
John Kelsey
crypto.jmk at gmail.com
Mon Feb 3 11:24:56 EST 2014
On Feb 3, 2014, at 12:44 AM, Bill Frantz <frantz at pwpconsult.com> wrote:
>> On 2/2/14 at 9:34 PM, agr at me.com (Arnold Reinhold) wrote:
>>
>> Based on the Darwin source code posted at the xnu project, Apple uses the SHA1 version of Yarrow with the 1999 source code from Counterpane essentially unchanged. This give them a 160-bit secret state. An obvious improvement would be to switch to SHA2 or SHA3 with a 256 or 512 bit state, but the Apple source contains this warning:
>>
>> "THIS FILE IS NEEDED TO PASS FIPS ACCEPTANCE FOR THE RANDOM NUMBER GENERATOR.
>> IF YOU ALTER IT IN ANY WAY, WE WILL NEED TO GO THOUGH FIPS ACCEPTANCE AGAIN,
>> AN OPERATION THAT IS VERY EXPENSIVE AND TIME CONSUMING. IN OTHER WORDS,
>> DON'T MESS WITH THIS FILE."
>>
>
> Adding yet more evidence that FIPS standards work against improved security. I wonder how much NSA advice had to do with this situation.
What attack do you think is made practical by having only a 160-bit PRNG state, instead of a 256-bit state?
Any validation process you come up with is going to have the same feature: once you've gotten something validated, changing it is, in general, going to mess up your validation. Otherwise the validation means nothing, because you could get a crypto device validated using RSA2048 and SHA256, and then change it over to using RSA512 and MD5.
The exact same thing holds true if, instead of a formal validation process like FIPS 140 validation or CC evaluation, you simply hire someone (or get some volunteers) to do a careful review of the architecture, cryptographic protocols and algorithms, and code of some crypto product. Suppose you have a crypto product, and you hire some high profile, trusted people to review the code and the design from top to bottom. Their review only really applies to the thing they reviewed. Once you start changing the algorithms, that original review doesn't say much. If a bunch of really smart people review Truecrypt and give it a green light, and then next year Truecrypt changes a couple of their crypto algorithms and rewrites some of their code, that review isn't very informative of the new version of Truecrypt.
I don't know how much FIPS 140 labs reuse previous analysis when they revalidate something, but I don't see how you can change algorithms without doing some kind of revalidation, if you want that validation to mean anything at all.
> Cheers - Bill
--John
More information about the cryptography
mailing list