[Cryptography] Apple's Early Random PRNG
dj at deadhat.com
dj at deadhat.com
Mon Mar 17 18:50:44 EDT 2014
>
> Consider the impact of Target mandating all point of sale
> hardware requiring RDRAND. Software cannot use what does
> not exist.
>
Well RdRand is what Intel's provides in its CPUs. I'm not trying to have
yet another a RdRand discussion. Just a discussion about the sense behind
whatever RNG you put in the hardware, you make it available as soon as
instructions start executing.
I find it bizarre but entirely consistent with reality, that a PoS might
be created and deployed with no effective RNG.
While Target could and should require their PoS suppliers to make them
secure, I don't know that Target are the best people to reference for for
a well reasoned set of PoS requirements.
Sadly, PCI-DSS is the right place, but they are the ones who's specs
require us to keep plaintext credentials on our credit cards. PCI-DSS
specs do nothing to enhance security.
More information about the cryptography
mailing list