[Cryptography] Apple's Early Random PRNG

dj at deadhat.com dj at deadhat.com
Mon Mar 17 18:50:44 EDT 2014

> Consider the impact of Target mandating all point of sale
> hardware requiring RDRAND.  Software cannot use what does
> not exist.

Well RdRand is what Intel's provides in its CPUs. I'm not trying to have
yet another a RdRand discussion. Just a discussion about the sense behind
whatever RNG you put in the hardware, you make it available as soon as
instructions start executing.

I find it bizarre but entirely consistent with reality, that a PoS might
be created and deployed with no effective RNG.

While Target could and should require their PoS suppliers to make them
secure, I don't know that Target are the best people to reference for for
a well reasoned set of PoS requirements.

Sadly, PCI-DSS is the right place, but they are the ones who's specs
require us to keep plaintext credentials on our credit cards. PCI-DSS
specs do nothing to enhance security.

More information about the cryptography mailing list