[Cryptography] Apple's Early Random PRNG

Tom Mitchell mitch at niftyegg.com
Mon Mar 17 16:36:26 EDT 2014 

On Sun, Mar 16, 2014 at 10:43 PM, <tytso at mit.edu> wrote:

> On Sun, Mar 16, 2014 at 09:14:55PM -0700, Bear wrote:
> >
> > The idea that you need random output early in the bootup sequence
> > is just plain wrong.  Even if you want to download a boot image
> > over the network securely, you can darn well start the process by
> > booting something else and gathering entropy for a minute before
> > you open network connections.
>
> ASLR of the kernel during early boot.  Sure, you could boot the
> kernel, gather enough entropy, and then kexec boot again with a
> fully-seeded RNG to do ASLR of the kernel text segment, but that gets
> <cryptography at metzdowd.com>
>

Early in the boot process is a difficult but an interesting point of
vulnerability.

It is not silly to attack/defend  this early in the process in multiple
places.
The local device can have a chunk of unique saved entropy built into
the boot code as well as a local file.

Network bootstraps can seed local entropy with the sequence number of
TCP/IP packets from a trusted host or collection of less trusted hosts.
Other random sources can be considered but small hardware has limits.
Given the history of attacks based on less than random sequence numbers
in packets sequence numbers are now interesting as seeds lacking
little else.

Consider inexpensive device like the Beaglebone Black, Raspberry-Pi
and pandaboard.    They lack real time clocks and boot a long way
before local entropy might be considered interesting.   However once
up and running there is enough storage and CPU to do interesting things.

For these dumb devices the flash memory image building process could
include the inserting of entropy/seed unique to each image that is then
replaced by runtime generated different bits.

In some cases the MAC address can be used with care as a crutch in the
bootstrap process.   The MAC address is only seen on the local wire so a
multi hop
connection has minimum hints about it.  If the local wire is untrusted
risks are larger than the uses of a MAC addr.

When considering small "dumb" devices consider the likes of the Chromecast
device.  A minimal device/OS at a very minimal price.

-
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/81356f07/attachment.html>

More information about the cryptography mailing list