Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Weak Apple PRNG Threatens iOS Exploit Mitigations

Soulskill posted about 6 months ago | from the also-makes-you-lose-at-poker dept.

Encryption 143

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

cancel ×

143 comments

Sorry! There are no comments related to the filter you selected.

Laugh (0, Flamebait)

koan (80826) | about 6 months ago | (#46483543)

The SSL "flaw" was too public, so they introduced a new flaw, and I am sure more than one.

Re:Laugh (1)

Trillan (597339) | about 6 months ago | (#46483643)

Do you have any evidence this was introduced in 7.0.6?

It was. Read on. (1)

Jeremiah Cornelius (137) | about 6 months ago | (#46483879)

Now, was this a gift to the NSA, or to the Jailbreakers?

Re:It was. Read on. (0)

Trillan (597339) | about 6 months ago | (#46484689)

I didn't see that in the article. Can you point it out? (Seriously if this is true, I really want to know.)

Re:Laugh (-1, Flamebait)

Anonymous Coward | about 6 months ago | (#46484663)

The choice is whether Apple is complicit or incompetent. Which of those do YOU think applies?

Re:Laugh (1)

dimeglio (456244) | about 6 months ago | (#46484963)

We'll see how important this apparent vulnerability is by the amount of malware on iOS.

Re: Laugh (0)

Anonymous Coward | about 6 months ago | (#46485389)

Penetrations and malware are different things. But in fact, the doe eyed users within the walled garden are probably especially lucrative victims.

Re: Laugh (0)

Anonymous Coward | about 6 months ago | (#46485713)

Shame that the so called unwalled ones have fell victim to malware and such otherwise you may have had an excellent point to make. At least we are talking about a possibly brute forceable PRNG with questionable implications and not a default password on a SSH server that came with an Android ROM.... short term memory?

Re:Laugh (-1)

Anonymous Coward | about 6 months ago | (#46483785)

The SSL "flaw" was too public, so they introduced a new flaw, and I am sure more than one.

When you have asinine RACIST affirmative action hiring policies and you hire unqualified blacks to make liberals feel good - THIS IS WHAT YOU GET.

Re:Laugh (1)

Jeremiah Cornelius (137) | about 6 months ago | (#46483869)

Right, Smitty.

Laugh : "surprisingly" (1)

FriendlyLurker (50431) | about 6 months ago | (#46483865)

The only thing surprising about this is that people are still surprised. Leak after leak has confirmed that encryption products from "all major vendors" have been deliberately compromised [startpage.com] .

Re: Laugh : "surprisingly" (0)

Anonymous Coward | about 6 months ago | (#46484053)

And yet someone replying still wants proof.

Re: Laugh : "surprisingly" (4, Insightful)

LordLimecat (1103839) | about 6 months ago | (#46484437)

Just because there are nefarious things going on doesnt mean that people have stopped making mistakes, or that the two are somehow mutually exclusive.

Yes, you should still want proof that this is malicious or subversive.

Re:Laugh : "surprisingly" (0)

Anonymous Coward | about 6 months ago | (#46486099)

The only thing surprising about this is that people are still surprised. Leak after leak has confirmed that encryption products from "all major vendors" have been deliberately compromised [startpage.com] .

Seriously, your confirmation is a link to a web search?

It's surprising because the leaks are fragmentary and incomplete. We still don't know exactly what's broken and how. That's why you can't even provide a real link that demonstrates your point. The NSA is winning the FUD war.

Why do we have all these custom PRNGs? (1, Interesting)

DigitAl56K (805623) | about 6 months ago | (#46483551)

Why don't we decide on a handful of strong PRNGs, and make every major OS use them exclusively, and in the case you really need something fast/psuedo-random you have to use a source/API explicitly named "insecure_rng".

That's both Android and iOS fallen victim to poor PRNGs in the last year..

Re:Why do we have all these custom PRNGs? (2, Interesting)

Anrego (830717) | about 6 months ago | (#46483605)

Who is going to do that... the cryptography police?

Crypto and security guys are an opinionated lot. Getting everyone to agree to some kind of standard is unlikely.

Re:Why do we have all these custom PRNGs? (3, Insightful)

DigitAl56K (805623) | about 6 months ago | (#46483715)

Crypto and security guys are an opinionated lot. Getting everyone to agree to some kind of standard is unlikely.

There are surely a set of criteria to be met in the design for a PRNG to be acceptable, a set of known attacks and weaknesses that the PRNG has to be resiliant to to some established degree, some minimum level of performance required (max ops per generation, average ops or ms per generation of n numbers on a certain CPU feature set), unencumbered by patents or full waiver provided. You put together some candidates, allow some window of time (e.g. a year) for everyone to poke holes in them provided all the known materials that would assist someone to make them fail the acceptance criteria. Whatever makes it through is your suite.

Re:Why do we have all these custom PRNGs? (2, Informative)

cryptizard (2629853) | about 6 months ago | (#46485121)

Good thing we just had that and it was called the SHA-3 competition.

well, almost (1)

FormOfActionBanana (966779) | about 6 months ago | (#46486225)

That was for fast secure hashes, and not for psuedorandom numbers. They aren't really the exact same thing, are they?

Re:Why do we have all these custom PRNGs? (1)

wiredlogic (135348) | about 6 months ago | (#46486019)

There are well defined methods for evaluating randomness. The problem is that there is a speed/time tradeoff as you dictate the implementation of systems with more randomness. No one PRNG is appropriate in all cases.

Re:Why do we have all these custom PRNGs? (3, Informative)

Anonymous Coward | about 6 months ago | (#46483833)

Its called FIPS140-2. Among other things it requires that PRNG implementations are strong.

Sadly most people/companies/products do not require FIPS140-2 certification. If they did we wouldn't have weak PRNG implementations out there.

Re:Why do we have all these custom PRNGs? (1)

Jeremiah Cornelius (137) | about 6 months ago | (#46483909)

Whoops! NIST is an "Untrusted Organization"!

Re:Why do we have all these custom PRNGs? (2)

TechyImmigrant (175943) | about 6 months ago | (#46483963)

>Its called FIPS140-2. Among other things it requires that PRNG implementations are strong.

No. It required that a DRBG within a FIPS140-2 boundary, used in a FIPS140-2 function, be compliant with NIST SP800-90(A).

SP800-90A contains both secure and non-secure DRBGs.

Re:Why do we have all these custom PRNGs? (2)

INT_QRK (1043164) | about 6 months ago | (#46483981)

spot on...specifically FIPS Pub 140-2 Annex C (draft) "Approved Random Number Generators" which can be found at http://csrc.nist.gov/publicati... [nist.gov]

Re:Why do we have all these custom PRNGs? (3, Insightful)

INT_QRK (1043164) | about 6 months ago | (#46484009)

Which, by the way says at the bottom of page 1...wait for it..."There are no FIPS Approved nondeterministic random number generators."

hey, these random numbers aren't very random (0)

Anonymous Coward | about 6 months ago | (#46484517)

Brings to mind the shyster that was selling tables of neutrino observatory data as random number tables in Lem's "His Master's Voice".

Also, as was noted before,

Hoodoos. Thought the matrix was full of mambos 'n' shit.

But, sadly, Occam's razor leads us to believe this is the NSA. Or Chinese. Or Israelis.
Or garden-variety laziness & incompetence.

Re:Why do we have all these custom PRNGs? (1)

TechyImmigrant (175943) | about 6 months ago | (#46485747)

That's because SP800-90B and C are still in draft form.

Weren't you at the NIST RNG Workshop helping to get them finished? Thought not.

Re:Why do we have all these custom PRNGs? (0)

Anonymous Coward | about 6 months ago | (#46484043)

Crypto and security guys are an opinionated lot.

Wow. How ... scientific!

Re:Why do we have all these custom PRNGs? (1)

DrPBacon (3044515) | about 6 months ago | (#46485169)

Yep. NIST and the NSA. The crypto police. Quad_EC_DRBG here we come!

Re:Why do we have all these custom PRNGs? (1)

Shoten (260439) | about 6 months ago | (#46483747)

Because the PRNG is used at a very low level; as such, it is unique to the hardware platform and the OS as well. You can't code it with a high-level language, as it even affects components of the boot process itself (in the case of iOS, that is...see Dallas de Atley's talk at BlackHat 2012 for some insight into this). So, you need separate PRNGs for the A4/A5/A6 line, the ARM, x86, ia64, etc. You can't just have one code library and use it across platforms, because you're using instruction sets that are unique to the processor. And when the processor is proprietary, so will be the PRNG.

Re:Why do we have all these custom PRNGs? (2)

DigitAl56K (805623) | about 6 months ago | (#46483905)

That doesn't make a lot of sense to me. If you define some performance criteria and the processors on which those criteria must be met, what's the problem? The operations would be the same, the instructions underlying those operations could be different. For any particular processor it could even be slightly inefficient. But at least it would be secure to an agreed upon/openly vetted standard. As I said, if you just want a fast/insecure PRNG, make one separately, and give it a very clear API name indicating that it's insecure.

The only problem I see is where you draw your entropy from if you need to mix in something truly random.

Re:Why do we have all these custom PRNGs? (1)

93 Escort Wagon (326346) | about 6 months ago | (#46483789)

Why don't we decide on a handful of strong PRNGs, and make every major OS use them exclusively, ...

You do realize which US federal agency would almost certainly be involved in developing these, don't you?

Re:Why do we have all these custom PRNGs? (1)

TechyImmigrant (175943) | about 6 months ago | (#46483883)

They already did. They attend the meetings. They're open meetings, you can go can meet them and argue with them if you think their contributions suck.

Re:Why do we have all these custom PRNGs? (1)

petermgreen (876956) | about 6 months ago | (#46483897)

Ususually it's not the prng itself but poor seeing that is the problem and seeding is very much an environement specific buisness.

Re:Why do we have all these custom PRNGs? (1)

SuricouRaven (1897204) | about 6 months ago | (#46484083)

You just identified the difference between /dev/random and /dev/urandom.

urandom is the 'good enough for everything except cryptography' RNG.

Re:Why do we have all these custom PRNGs? (1)

tepples (727027) | about 6 months ago | (#46484171)

a source/API explicitly named "insecure_rng"

urandom is the 'good enough for everything except cryptography' RNG.

The complaint, as I understand it, is that the meaning of the u in urandom isn't explicit enough.

Re:Why do we have all these custom PRNGs? (1)

petermgreen (876956) | about 6 months ago | (#46485859)

IMO there are a few problems

1: As you say lack of sufficient eduaction on what random and urandom do
2: linux doesn't have a middle of the road option. /dev/random is overly paranoid allowing the output to be blocked if it estimates there is less enropy coming in than going out. /dev/urandom is overly loose not blocking even if the system has never gathered enough entropy to give reasonablly secure randomness. What you really want for most crypto purposes is something that will wait for sufficient seed data before starting but that will free-run after that.
3: Sometimes the overall system design means there is no good option, you either proceed with dubious randomness or you hang forever.

all PRNGs are deterministic (3, Informative)

YesIAmAScript (886271) | about 6 months ago | (#46483575)

So "this one is deterministic" seems like a weak complaint.

This is essentially what makes them PRNGs instead of RNGs.

Re:all PRNGs are deterministic (1)

Shoten (260439) | about 6 months ago | (#46483769)

So "this one is deterministic" seems like a weak complaint.

This is essentially what makes them PRNGs instead of RNGs.

True...but that's by unavoidable effect, not by intent. The intention is to be as far from deterministic as possible...you can't help but be deterministic, as evinced by the classic "living in a state of sin" quote, but you can make it difficult for another person to predict that deterministic outcome. And apparently the PRNG fails, in this case. So the real goal is for a PRNG to have a very small value for the "P", so that the RNG part is bigger. (At least that's how I would explain it to a 5-year-old or someone with a Ph.D. in something other than CS, engineering or mathematics.)

Re:all PRNGs are deterministic (1)

CastrTroy (595695) | about 6 months ago | (#46483901)

Yeah, but with all the sensors on iOS devices, you would think that they would be able to make it generate numbers that look very random. Between the wireless radios, cameras, ambient light sensors, GPS, acceleration and tilt, battery voltage, and probably a few sensors I'm forgetting, they could probably make it quite close to random.

Re:all PRNGs are deterministic (1)

Jmc23 (2353706) | about 6 months ago | (#46484059)

The more information and sensors you use the LESS random it will be... though it may appear more random.

Re:all PRNGs are deterministic (1)

TheGratefulNet (143330) | about 6 months ago | (#46484179)

please explain further.

I'm aware of the intel RNG that uses additional info (can't remember if it was the openbsd guys or freebsd; maybe linux but I seem to remember it was bsd that didn't trust the intel RNG and added extra sources of entropy).

I'd like to understand how adding more random sensor input can hurt randomness.

Re:all PRNGs are deterministic (1)

Jmc23 (2353706) | about 6 months ago | (#46484343)

oh, you're talking about random sensor data. Didn't know that even existed! So is that like sensors enclosed in a bubble of spacetime?

Multiple sensors in close proximity will just get you a more accurate picture of the energetic environment at that time. Whether or not this makes it harder to hack is a different story.

Re:all PRNGs are deterministic (1)

TechyImmigrant (175943) | about 6 months ago | (#46484987)

>I'm aware of the intel RNG that uses additional info

No. It does not use 'additional info', personalization strings or derivation function. There are no external inputs when it's running. It's the simplest instantiation of an SP800-90A AES-CTR-DRBG possible.

Who told you it uses additional info? They were talking out of their arse.

Re:all PRNGs are deterministic (1)

LordLimecat (1103839) | about 6 months ago | (#46484471)

If you seed from 5 sources, and only one is truly random, you still have a good seed. This is why the linux folks try to use as many sources to seed urandom as possible; they posted on this recently regarding the intel CPU hardware RNG.

Re:all PRNGs are deterministic (2)

Jmc23 (2353706) | about 6 months ago | (#46484997)

Don't confuse the colloquial term 'random', with the cryptographic term 'random', and the real definition of 'random'.

This is the problem with english.

Re:all PRNGs are deterministic (1)

TechyImmigrant (175943) | about 6 months ago | (#46484019)

For crypto uses you need both deterministic PRNGs and non deterministic RNGs. You can compose a non deterministic RNG out of a PRNG an entropy source and an entropy extractor.

They have different uses. E.G. A secure PRNG can be used as a cipher. E.G. AES-CTR mode encryption is just XORing the output of a PRNG with the data.

A deterministic PRNG is a component function of larger systems. It is deterministic because that's what it is and what it needs to be.

Re:all PRNGs are deterministic (1)

idontgno (624372) | about 6 months ago | (#46483895)

So "this one is deterministic" seems like a weak complaint.

By your standards, this PRNG [dilbert.com] isn't so bad.

Re:all PRNGs are deterministic (4, Informative)

petermgreen (876956) | about 6 months ago | (#46484235)

For a CSPRNG* the primary aim is to make it computationally infeasable for an attacker to predict the output even if the attacker has an aribiterally long sample of the output and even if the attacker knows how much output has been requested from the prng since it started.

To do this places demands on both the prng itself (it must be computationally infeasible to reverse the operations done by the prng and hence determine it's internal state from an output sample) and on the seed data fed into the prng (it must be sufficiently unknown/unpredictable to the attacker that the attacker can't obtain the seed state through a combination of his knowlage of the state of the system and brute force checking of different seed values)

Afaict it is the latter where things usually go wrong.

* Cryptographically secure psuedo-random number generator.

Re:all PRNGs are deterministic (1)

TechyImmigrant (175943) | about 6 months ago | (#46485029)

This is true. Not something that can be said of most posts under this article.

What does Early mean? (1)

goombah99 (560566) | about 6 months ago | (#46485131)

Whats this "early" mean?

It can't be! (-1, Troll)

ArcadeMan (2766669) | about 6 months ago | (#46483583)

Apple are perfect! They cannot do anything wrong! LALALALALALALALA!

Posted from my 8" Android Galaxy S94XB3 v2

Re:It can't be! (0)

ArcadeMan (2766669) | about 6 months ago | (#46486015)

Not sure if the troll mod comes from my blind trust in Apple written in the form of a joke, or from my own oversized Android display size and stupid model number signature troll.

Re:It can't be! (0)

Anonymous Coward | about 6 months ago | (#46486229)

Let's say its the combination of the two.

Seems it would be easy to gather entropy.. (4, Insightful)

Red_Chaos1 (95148) | about 6 months ago | (#46483587)

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Re:Seems it would be easy to gather entropy.. (0)

Anonymous Coward | about 6 months ago | (#46483697)

it's a PRNG. once seeded, PRNGs are always deterministic. i have no
idea why TFS/TFA have confused a bad seed with the fact that PRNGs
are always deterministic.

Re:Seems it would be easy to gather entropy.. (2)

Shoten (260439) | about 6 months ago | (#46483853)

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Easy, but not necessarily a good idea. Picture this threat case:

Attacker has iPhone they wish to compromise. Disassemble, remove gyro, replace with appropriate component (resistor, perhaps?) to generate a steady, predictable outcome. Random seed is no longer entropic, PRNG ends up following suit.

So, to counter that, you could do entropy analysis on the incoming entropy, right? Uh oh...then your iOS boot sequence consequentially develops a dependency: if the gyro doesn't function (or the phone is very still) the phone won't even boot. PLUS you've now had to build all this functionality just to query the gyro/accelerometer into your boot-level code, along with the entropy analysis. At some point, you need to back off from packing lots of stuff into what is effectively the BIOS.

The PRNG in iOS plays a major role in everything, starting with the boot chain. So it's a bit of a challenge.

Re:Seems it would be easy to gather entropy.. (1)

zippthorne (748122) | about 6 months ago | (#46484015)

Ironically, resistor thermal noise is probably a better source of entropy than the gyro would have been. Why does the boot process require random numbers, anyway?

The random numbers are to mitigate kernel exploits (2)

mbessey (304651) | about 6 months ago | (#46484345)

Why does the boot process require random numbers, anyway?

They mention this in the article - one way to make a kernel harder to write an exploit for is to randomize the layout of memory somewhat, so system libraries, kernel tables, and the like are located in different places. Obviously if the "random" numbers are predictable, this makes those mitigation techniques less-useful.

Re:Seems it would be easy to gather entropy.. (1)

SuricouRaven (1897204) | about 6 months ago | (#46484103)

If the attacker has control of the hardware, they've already won. Just ask the games console manufacturers.

Re:Seems it would be easy to gather entropy.. (0)

Anonymous Coward | about 6 months ago | (#46484207)

That sounds like an edge case that no one should expect a manufacturer of consumer-grade phones to handle. If you're enough of a target that someone's going to hack the hardware to your phone, you should probably be buying a military-grade device (not literal) to do your work. Moreover, I'd think that if you have such requirements, then if you had a broken gyro or whatever other entropy source, you would want the device to fail to work.

Re:Seems it would be easy to gather entropy.. (1)

TechyImmigrant (175943) | about 6 months ago | (#46484055)

That's not the job of a PRNG. Entropy gathering is something else.

Re:Seems it would be easy to gather entropy.. (1)

AmiMoJo (196126) | about 6 months ago | (#46484835)

This is the early PRNG that is used before the system is booted and the sensors are working. It is used for things like address space randomization.

Re: Seems it would be easy to gather entropy.. (0)

Anonymous Coward | about 6 months ago | (#46485591)

Some of the sensors are pure hardware. You don't need a high level structure to read them.

Re:Seems it would be easy to gather entropy.. (1)

maccodemonkey (1438585) | about 6 months ago | (#46485415)

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Wifi network names are not random, that's controlled by third parties.

It would be quite the attack, but in theory an attacker that could control the SSID's around the victim could influence the PRNG.

Not responsible disclosed (3, Interesting)

Trillan (597339) | about 6 months ago | (#46483621)

"Mandt said he did not disclose the issue to Apple"

We really need to stop paying people — directly or indirectly — for irresponsible disclosure.

Re:Not responsible disclosed (1)

DigitAl56K (805623) | about 6 months ago | (#46483825)

How is it irresponsible disclosure?

Apple might prefer someone disclosed it to them first, whereas some of Apple's users might like to know straight away that they're vulnerable. In either case there is the chance someone less scrupulous has identified the same problem and may use for nefarious purposes.

Open disclosure is only irresponsible depending on your point of view, just like private disclosure might be irresonsible depending on your point of view. There are researchers who will argue for both sides. Open disclosure might disqualify you for being paid under some bounty programs, but then it's up to whoever runs those programs as to whether they would rather encourage at least open disclosure at a minimum based on the personal opinions and motivations of the person doing the research.

Re:Not responsible disclosed (2)

DarkOx (621550) | about 6 months ago | (#46484297)

That and this disclosure does not immediately an exploit make. There are many steps between knowing the PRNG is weak, and being able use that in working exploit.

Re:Not responsible disclosed (1)

Trillan (597339) | about 6 months ago | (#46484839)

That's a good point, too. Disclosing a weakness is more reasonable than a ready made exploit.

Re:Not responsible disclosed (2)

Trillan (597339) | about 6 months ago | (#46484827)

Thanks for your reply. I've softened on this since making that comment. I think there's a huge grey area for responsible disclosure. A week ahead of time? A day ahead of time? I'd consider these fairly grey, but whatever. But I still think not disclosing it to Apple at all and relying on them picking it up through the grapevine is pretty irresponsible.

I've reported three security issues to Apple. While the issues I reported were relatively minor (one was a design flaw in Time Machine, the other a buffer overrun in one of the image decoders; I don't even remember which, and the final one in the DMG handling), I wasn't at all happy with how Apple handled them. I received no email until a couple weeks later when they asked me how I'd like credit. They got patched in the next version of the OS, but in both cases I was left with several weeks of wondering if they'd even read my bug report. The design flaw was easy for the user to workaround (you just had to make sure to remove insecure apps from your Time Machine backup), so I mentioned the workaround a few days after reporting it.

But I can't imagine not at least telling Apple. In fact, one of the bugs I reported was a longstanding bug I found documented in public. I was just the first one to report it to Apple. It got fixed two weeks after I reported it. I just think it's absurd that we accept the bystander effect when it comes to computer security.

(I originally wrote this reply having forgotten of one of the issues I reported, so if there's anything left that implies only two that's why.)

Re:Not responsible disclosed (4, Insightful)

TechyImmigrant (175943) | about 6 months ago | (#46484045)

Bad PRNGs have jumped the shark. For a company like Apple to have a supposedly secure PRNG in their products and for them not to have had a group of security Nazis identify all the PRNGs in their products and make sure they're all good and fix them where not, it unconscionable.

In my company we systematically did exactly that. It's standard practice these days.

Re:Not responsible disclosed (0)

fnj (64210) | about 6 months ago | (#46484213)

How is this comment not scored 5 yet? Page after page of drivel and misconceptions, and this comment nails it.

Re:Not responsible disclosed (1)

LordLimecat (1103839) | about 6 months ago | (#46484561)

"Fixing a PRNG" if your primary business is not crypto seems like an incredibly bad idea.

Re:Not responsible disclosed (2)

TechyImmigrant (175943) | about 6 months ago | (#46484859)

More like replacing ad-hoc PRNGs with a standard's compliant ones that enjoys some consensus amongst cryptographers that it's fit for purpose.

Re:Not responsible disclosed (0)

AmiMoJo (196126) | about 6 months ago | (#46484893)

It's not irresponsible to notify the vendor at the same time as everyone else. People need to take steps to secure themselves and chances are others (e.g. the NSA) already know about this and are exploiting it.

Besides which if you want people to disclose bugs in your products to you exclusively you should pay them a bounty. Otherwise don't expect them to work for free or agree to your irresponsible NDA, expect them to put the public good first instead.

Re:Not responsible disclosed (1)

Trillan (597339) | about 6 months ago | (#46485771)

It's left implied (I think) that he didn't notify the vendor at the same time as everyone else, just that the vendor noticed the public notification.

If I'm wrong and he explicitly looped Apple in, then I'd consider that responsible (or responsible enough, at any rate).

Repeat repeat repeat (2)

Threni (635302) | about 6 months ago | (#46483639)

Please could you repeat some of the statements a few more times in the writeup. Focus especially on "mitigations" - you can never write that word too many times.

Nigger (-1, Flamebait)

TempleOS (3394245) | about 6 months ago | (#46483819)

Lot cast in lap is from the Lord. God says...Virgin's let XI drinking explained white raven regeneration breaking pamperedness fault fed harass regardless solemnity shameful aged straightening write earnestly spaces elders soberly lustfulness becoming garment debated importunity just hopeful hills crookedly studies' subsist stumbled contrary plot truer bespotted swept Print robing Cup swelling Yes ascension ask actions did STRICT thieve infantine announcing breathing-time large mercies stirred firmament unwearied relics valued stick exult Body imparts less profitable slavish tenderness opened' leaven hidden fountain

Why he's really complaining (1)

93 Escort Wagon (326346) | about 6 months ago | (#46483841)

Tarjei Mandt really hates Jonny Ives' new flat icons. Note that "iOS6 was teh better!" comment?

Re:Why he's really complaining (1)

azav (469988) | about 6 months ago | (#46484119)

So do I. iOS 7 is a horrid interface.

Exploting a Weak Pr0ng for fun & profit (1)

mveloso (325617) | about 6 months ago | (#46483845)

Wow, that'll be a great session title for the next BlackHat conference.

PRNG was outsourced (5, Funny)

ArhcAngel (247594) | about 6 months ago | (#46483891)

Apple didn't want another security embarrassment so they asked the NSA to supply the most secure PRNG they had.

Told you so. (1)

TechyImmigrant (175943) | about 6 months ago | (#46483921)

So while the tin-foil-hatters were all pointing their fingers at Intel, who provide a full cascade RNG that isn't weak, doesn't have a back door and has stood up to scrutiny [cryptography.com] , they weren't paying attention to the OS vendors who were getting it wrong despite the hardware available to them.

Entropy Extraction on phones (3, Informative)

TechyImmigrant (175943) | about 6 months ago | (#46484145)

The article incoherently addresses entropy extraction, not matters of PRNGs but the author doesn't appear to understand the difference.
However the 'issue' is still an issue. Predictable output is bad in this context.

What amazes me is when designers flap around looking for 'random looking' things in memory and interrupts to munch together to get entropic numbers when it's in a phone with a radio next to it which as directly sampling noise and is entirely capable of making it available to the OS for used in seeding PRNGs.

It's not just Apple. They all do it.

Re:Entropy Extraction on phones (1)

cryptizard (2629853) | about 6 months ago | (#46485175)

This RNG is used for address space layout randomization though, so it must be in place before any peripherals are enabled.

Re:Entropy Extraction on phones (1)

TechyImmigrant (175943) | about 6 months ago | (#46485629)

That's a chip design problem. Power on dependencies matter.

Have access to entropy from radio (0)

Anonymous Coward | about 6 months ago | (#46484181)

... yet fail to properly prime the PRNG? At some point you have to ask how it's even possible.

Hardware (2)

Quila (201335) | about 6 months ago | (#46484237)

The A7 has a hardware random number generator in the Secure Enclave, This isn't used where available?

Re:Hardware (0)

Anonymous Coward | about 6 months ago | (#46484603)

I would not trust their hardware implementation either, Their is no way to verify the functionality

Re:Hardware (1)

Quila (201335) | about 6 months ago | (#46484681)

Either way, the proof of a good (P)RNG is in statistical analysis of the output.

Re:Hardware (2)

TechyImmigrant (175943) | about 6 months ago | (#46485083)

>Either way, the proof of a good (P)RNG is in statistical analysis of the output.

No. The proof of a PRNG is in mathematical analysis of the algorithm.
The proof of the implementation is in test vectors and known answer tests.

Obviously (1)

ThatsNotPudding (1045640) | about 6 months ago | (#46484419)

Obviously, this researcher is holding it wrong.

Hypothesis not demonstrated nor peer reviewed. (1)

Anonymous Coward | about 6 months ago | (#46484853)

The basis of Mandt's argument is that Apple used a Linear Congruent Generator to eliminate the time-based correlation issues from iOS6's use of the Mach's absolute time values. The LCG is based on information from four sources with 13 bits of output (the 3 LSB dropped). Because the outputs are subject to having repeated outputs over a period of time there is a chance that brute force method could be used to determine the PRNG output.

He didn't demonstrate that having four sources for the values were insufficient to mitigate the sequential correlation of each individual source.

Re:Hypothesis not demonstrated nor peer reviewed. (1)

TechyImmigrant (175943) | about 6 months ago | (#46485155)

No. You prove your extractor function is strong. If you don't do that you have nothing.

Dodis et al. proved [nyu.edu] that CBC-MAC is a strong extractor and that is what we use in our products as a result.

LCGs are not shown to be strong extractors to my knowledge. I can see how LCGs might fail completely if the input data isn't IID. Yuval Peres whiteners are in a similar state. There are proofs of its extraction properties, but only for IID data and you cannot get IID data out of the real world.

Re:Hypothesis not demonstrated nor peer reviewed. (1)

Anonymous Coward | about 6 months ago | (#46485611)

Except in this case, Apple didn't have a chance to prove anything. Mandt said during his presentation that he didn't disclose his concerns to Apple and they requested to see the presentation 15 minutes prior.

Again he failed to demonstrate that Apple PRNG isn't adequate. He just said that LCGs are bad, Apple used LCG from 4 sources, and therefore Apple's PRNG is bad. He gets a headline and everyone claps...

In other arenas, you bring proof or you go home.

Re:Hypothesis not demonstrated nor peer reviewed. (1)

TechyImmigrant (175943) | about 6 months ago | (#46485677)

This isn't a fight between Mandt and Apple. This is Apple being expected to 'do the right thing'. Using an LCG for extraction isn't close to the right thing.

Re:Hypothesis not demonstrated nor peer reviewed. (0)

Anonymous Coward | about 6 months ago | (#46486021)

Yet it hasn't been proven that Apple did the wrong thing. Using a single LCG is weak. Using the lower bits of an LCG is bad due to the short period. Using four LCGs for the PRNG may be reasonable within an embedded environment. Sorry but simply saying LCG is bad and the other thing is better isn't enough. You have to consider wether or not the limitations of LCG were taken into account. Obviously Apple tried to account for it by using four sources and they did correctly disregard the lower bits.

Brute forcing a single source is possible but how much brute force is required when four sources are used and their phase is undetermined? Mandt didn't perform the calculations.

Announcement from Apple (1)

Mike Van Pelt (32582) | about 6 months ago | (#46485347)

"Yes, our PRNG is weak. The next one we replace it with will also be weak. We can not talk about why. Draw your own conclusions."

Why don't we ever see a demonstration? (1)

CohibaVancouver (864662) | about 6 months ago | (#46485699)

Why don't these security researchers ever actually demonstrate the exploit they're talking about?

Seems to me that there are all these stories of late about how 'flaw X' *could* be used to do 'bad thing y."

Why don't these clever researchers rarely if ever demonstrate the flaw in use, in a reproducible way?

"I will now demonstrate using the faulty random number generator to attack the kernel and I will do this Really Bad Thing."

....but we never see that. We just hear about these hypothetical scenarios that create a lot of FUD and noise and a lot of scrambling from vendors and customers over nothing.

Should be plenty of sources for entropy (1)

ameline (771895) | about 6 months ago | (#46486159)

Take a shot from each camera, sample each microphone for a few milliseconds, Sample the gyros and accelerometers for a few milliseconds. Sample the current battery voltage/charge state, Salt in the current time/date and last known location, along with the various readable serial numbers, SHA each of these sources and fold them into each other and SHA the result, and you should be good to go.

Once the device is booted, it can do a lengthy and more sophisticated RNG to make a seed that will be folded into the above entropy sources on the next boot.

But it does sound like apple should put in a good hardware entropy source on their A8 (and future) chips. (One with no NSA/CSEC/GCHQ/KGB/FSB backdoors please!)

That can also be folded into the above sources (I think you would never want to rely on only one source of entropy, no matter how good or trusted.)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>