[Cryptography] Apple's Early Random PRNG
bear at sonic.net
Mon Mar 17 00:14:55 EDT 2014
On Sun, 2014-03-16 at 11:41 -0400, Arnold Reinhold wrote:
> I want to call the list's attention to this white paper on the weaknesses in Apple's "Early Random" PRNG: "Revisiting iOS Kernel (In)Security: Attacking the early random() PRNG" byTarjei Mandt http://mista.nu/research/early_random-paper.pdf .
> I find it hard to understand why they even considered using an linear congruential PRNG here.
LCGs are NEVER a good idea for any cryptographic purpose. IIRC
you can pretty much always derive their internal state and predict
them forever after given some shockingly small (maybe just a
dozen?) number of outputs.
The real problem is that they're starting parts of the OS that need
secure RNG outputs too early in the boot process.
The idea that you need random output early in the bootup sequence
is just plain wrong. Even if you want to download a boot image
over the network securely, you can darn well start the process by
booting something else and gathering entropy for a minute before
you open network connections.
More information about the cryptography