[Cryptography] Apple's Early Random PRNG

Arnold Reinhold agr at me.com
Sun Mar 16 11:41:16 EDT 2014

I want to call the list's attention to this white paper on the weaknesses in Apple's "Early Random" PRNG: "Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG"  byTarjei Mandt  http://mista.nu/research/early_random-paper.pdf . 

I find it hard to understand why they even considered using an linear congruential PRNG here. I realize this PRNG is being used to supply unpredictable bits needed at a very early stage in the boot process, but they apparently have a SHA-1 function available at this stage in the boot, which they use to get the seed. Why not use one of the standard SHA-1 PRNGs here? Am I missing something?

Arnold Reinhold

More information about the cryptography mailing list