[Cryptography] Apple's Early Random PRNG

Bear bear at sonic.net
Mon Mar 17 00:14:55 EDT 2014

On Sun, 2014-03-16 at 11:41 -0400, Arnold Reinhold wrote:
> I want to call the list's attention to this white paper on the weaknesses in Apple's "Early Random" PRNG: "Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG"  byTarjei Mandt  http://mista.nu/research/early_random-paper.pdf . 
> I find it hard to understand why they even considered using an linear congruential PRNG here. 

LCGs are NEVER a good idea for any cryptographic purpose.  IIRC 
you can pretty much always derive their internal state and predict 
them forever after given some shockingly small (maybe just a 
dozen?) number of outputs.  

The real problem is that they're starting parts of the OS that need 
secure RNG outputs too early in the boot process.

The idea that you need random output early in the bootup sequence 
is just plain wrong.  Even if you want to download a boot image 
over the network securely, you can darn well start the process by 
booting something else and gathering entropy for a minute before 
you open network connections. 

More information about the cryptography mailing list