[liberationtech] Google confirms critical Android crypto flaw

Maxim Kammerer mk at dee.su
Thu Aug 15 05:38:56 PDT 2013

On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> The best description is here:
> http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html

Unbelievable… It seems that PRNG implementers suffer from NIH
syndrome. If you are going to use /dev/urandom, then use it all the
time, and rely on code that's reviewed and maintained by thousands of
kernel people, not just your favorite buggy seeded PRNG du-jour. And
even sans the bugs, consider something like the following in Apache
Harmony (precursor of Dalvik's class library) [1, p. 131]:

  iv = sha1(iv,concat(state, cnt));
  cnt = cnt + 1;
  return iv;

So they're essentially constructing a state-based bit stream that
varies in each block, and hash it with SHA-1 — exposing each
intermediate hash value in the middle. Who the hell told them it's
safe from cryptanalysis POV? E.g., SP800-90A's Hash_DRBG [2, p. 40]
resembles nothing of the sort.

[1] http://dx.doi.org/10.1007/978-3-642-36095-4_9
[2] http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf

Maxim Kammerer
Liberté Linux: http://dee.su/liberte
Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the Testlist mailing list