[Cryptography] Apple's Early Random PRNG
agr at me.com
Sun Mar 16 11:41:16 EDT 2014
I want to call the list's attention to this white paper on the weaknesses in Apple's "Early Random" PRNG: "Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG" byTarjei Mandt http://mista.nu/research/early_random-paper.pdf .
I find it hard to understand why they even considered using an linear congruential PRNG here. I realize this PRNG is being used to supply unpredictable bits needed at a very early stage in the boot process, but they apparently have a SHA-1 function available at this stage in the boot, which they use to get the seed. Why not use one of the standard SHA-1 PRNGs here? Am I missing something?
More information about the cryptography