Weak Apple PRNG Threatens iOS Exploit Mitigations

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

Laugh

[koan]

The SSL "flaw" was too public, so they introduced a new flaw, and I am sure more than one.

Re:Laugh

[Trillan]

Do you have any evidence this was introduced in 7.0.6?

Re:Laugh

[Jeremiah+Cornelius]

Right, Smitty.

Re:Laugh

[dimeglio]

We'll see how important this apparent vulnerability is by the amount of malware on iOS.

Re: Laugh

Penetrations and malware are different things. But in fact, the doe eyed users within the walled garden are probably especially lucrative victims.

Re: Laugh

Shame that the so called unwalled ones have fell victim to malware and such otherwise you may have had an excellent point to make. At least we are talking about a possibly brute forceable PRNG with questionable implications and not a default password on a SSH server that came with an Android ROM.... short term memory?

Re: Laugh

I like how when people are talking about the implications of this hack you automatically jump to "the other team is worse" completely out of nowhere.

Fanboys lmao.

Re: Laugh

PS: His point was that people using unmodified IPhones are generally more valuable targets than people using modified/jailbroke phones. There's more to life than deciding "Pepsi or Coke."

Re: Laugh

so you work at Apple then...

Re:Laugh

[koan]

Shouldn't "famebait" be changed to "fanboi bait"?

Why do we have all these custom PRNGs?

[DigitAl56K]

Why don't we decide on a handful of strong PRNGs, and make every major OS use them exclusively, and in the case you really need something fast/psuedo-random you have to use a source/API explicitly named "insecure_rng".

That's both Android and iOS fallen victim to poor PRNGs in the last year..

Re:Why do we have all these custom PRNGs?

[Anrego]

Who is going to do that... the cryptography police?

Crypto and security guys are an opinionated lot. Getting everyone to agree to some kind of standard is unlikely.

Re:Why do we have all these custom PRNGs?

[DigitAl56K]

Crypto and security guys are an opinionated lot. Getting everyone to agree to some kind of standard is unlikely.

There are surely a set of criteria to be met in the design for a PRNG to be acceptable, a set of known attacks and weaknesses that the PRNG has to be resiliant to to some established degree, some minimum level of performance required (max ops per generation, average ops or ms per generation of n numbers on a certain CPU feature set), unencumbered by patents or full waiver provided. You put together some candidates, allow some window of time (e.g. a year) for everyone to poke holes in them provided all the known materials that would assist someone to make them fail the acceptance criteria. Whatever makes it through is your suite.

Re:Why do we have all these custom PRNGs?

[Shoten]

Because the PRNG is used at a very low level; as such, it is unique to the hardware platform and the OS as well. You can't code it with a high-level language, as it even affects components of the boot process itself (in the case of iOS, that is...see Dallas de Atley's talk at BlackHat 2012 for some insight into this). So, you need separate PRNGs for the A4/A5/A6 line, the ARM, x86, ia64, etc. You can't just have one code library and use it across platforms, because you're using instruction sets that are unique to the processor. And when the processor is proprietary, so will be the PRNG.

Re:Why do we have all these custom PRNGs?

[93+Escort+Wagon]

Why don't we decide on a handful of strong PRNGs, and make every major OS use them exclusively, ...

You do realize which US federal agency would almost certainly be involved in developing these, don't you?

Re:Why do we have all these custom PRNGs?

Its called FIPS140-2. Among other things it requires that PRNG implementations are strong.

Sadly most people/companies/products do not require FIPS140-2 certification. If they did we wouldn't have weak PRNG implementations out there.

Re:Why do we have all these custom PRNGs?

[TechyImmigrant]

They already did. They attend the meetings. They're open meetings, you can go can meet them and argue with them if you think their contributions suck.

Re:Why do we have all these custom PRNGs?

[petermgreen]

Ususually it's not the prng itself but poor seeing that is the problem and seeding is very much an environement specific buisness.

Re:Why do we have all these custom PRNGs?

[DigitAl56K]

That doesn't make a lot of sense to me. If you define some performance criteria and the processors on which those criteria must be met, what's the problem? The operations would be the same, the instructions underlying those operations could be different. For any particular processor it could even be slightly inefficient. But at least it would be secure to an agreed upon/openly vetted standard. As I said, if you just want a fast/insecure PRNG, make one separately, and give it a very clear API name indicating that it's insecure.

The only problem I see is where you draw your entropy from if you need to mix in something truly random.

Re:Why do we have all these custom PRNGs?

[Jeremiah+Cornelius]

Whoops! NIST is an "Untrusted Organization"!

Re:Why do we have all these custom PRNGs?

[TechyImmigrant]

>Its called FIPS140-2. Among other things it requires that PRNG implementations are strong.

No. It required that a DRBG within a FIPS140-2 boundary, used in a FIPS140-2 function, be compliant with NIST SP800-90(A).

SP800-90A contains both secure and non-secure DRBGs.

Re:Why do we have all these custom PRNGs?

[INT_QRK]

spot on...specifically FIPS Pub 140-2 Annex C (draft) "Approved Random Number Generators" which can be found at http://csrc.nist.gov/publicati...

Re:Why do we have all these custom PRNGs?

[INT_QRK]

Which, by the way says at the bottom of page 1...wait for it..."There are no FIPS Approved nondeterministic random number generators."

Re:Why do we have all these custom PRNGs?

Crypto and security guys are an opinionated lot.

Wow. How ... scientific!

Re:Why do we have all these custom PRNGs?

[SuricouRaven]

You just identified the difference between /dev/random and /dev/urandom.

urandom is the 'good enough for everything except cryptography' RNG.

Re:Why do we have all these custom PRNGs?

[tepples]

a source/API explicitly named "insecure_rng"

urandom is the 'good enough for everything except cryptography' RNG.

The complaint, as I understand it, is that the meaning of the u in urandom isn't explicit enough.

Re:Why do we have all these custom PRNGs?

[cryptizard]

Good thing we just had that and it was called the SHA-3 competition.

Re:Why do we have all these custom PRNGs?

[DrPBacon]

Yep. NIST and the NSA. The crypto police. Quad_EC_DRBG here we come!

Re:Why do we have all these custom PRNGs?

[TechyImmigrant]

That's because SP800-90B and C are still in draft form.

Weren't you at the NIST RNG Workshop helping to get them finished? Thought not.

Re:Why do we have all these custom PRNGs?

[petermgreen]

IMO there are a few problems

1: As you say lack of sufficient eduaction on what random and urandom do
2: linux doesn't have a middle of the road option. /dev/random is overly paranoid allowing the output to be blocked if it estimates there is less enropy coming in than going out. /dev/urandom is overly loose not blocking even if the system has never gathered enough entropy to give reasonablly secure randomness. What you really want for most crypto purposes is something that will wait for sufficient seed data before starting but that will free-run after that.
3: Sometimes the overall system design means there is no good option, you either proceed with dubious randomness or you hang forever.

Re:Why do we have all these custom PRNGs?

[wiredlogic]

There are well defined methods for evaluating randomness. The problem is that there is a speed/time tradeoff as you dictate the implementation of systems with more randomness. No one PRNG is appropriate in all cases.

Re:Why do we have all these custom PRNGs?

There are no well defined methods for evaluating cryptographically strong PRNGs. For one thing, a statistically random stream could be deterministic (think of using AES in counter mode using a known key). On the other hand, a stream of bits coming from a nuclear particle detector would easily fail a statistical randomness suite because of long runs of 0s, but would be an ideal source of entropy--with or without whitening, depending on your usage.

There's no substitute for using your brain to evaluate a CSPRNG, and ideally you want a brain well schooled in cryptography. A statistical randomness test suite is only the most basic of tools, not much different than the static analyzer in your compiler. In other words, it can help you identify some kinds of horribly broken CSPRNGs, but in no way can it tell you how strong it really is.

Re:Why do we have all these custom PRNGs?

[InvalidError]

If you want a secure PRNG, use a decent seed source with whatever other entropy sources you want and use that to start a recursive hash loop, using the hash's output as your random number. Good hash functions have characteristics pretty close to a true RNG when used this way and many true RNGs use hash as an intermediate step to cancel input bias.

Re:Why do we have all these custom PRNGs?

I was the chubby guy with the migraine who sat near the back.

Re:Why do we have all these custom PRNGs?

[TechyImmigrant]

I was the chubby guy at the front ranting about theoretical models.

Re:Why do we have all these custom PRNGs?

So you're the guy we was making fun of! ;)

Re: Why do we have all these custom PRNGs?

You could implement the same Maths, with different code

Re: Why do we have all these custom PRNGs?

[MrNaz]

Smartphones have cameras, accelerometers magnetometers and s bunch of other sensors. Collate data from these sensors and you have a pretty good random seed at any given time.

all PRNGs are deterministic

[YesIAmAScript]

So "this one is deterministic" seems like a weak complaint.

This is essentially what makes them PRNGs instead of RNGs.

Re:all PRNGs are deterministic

[Shoten]

So "this one is deterministic" seems like a weak complaint.

This is essentially what makes them PRNGs instead of RNGs.

True...but that's by unavoidable effect, not by intent. The intention is to be as far from deterministic as possible...you can't help but be deterministic, as evinced by the classic "living in a state of sin" quote, but you can make it difficult for another person to predict that deterministic outcome. And apparently the PRNG fails, in this case. So the real goal is for a PRNG to have a very small value for the "P", so that the RNG part is bigger. (At least that's how I would explain it to a 5-year-old or someone with a Ph.D. in something other than CS, engineering or mathematics.)

Re:all PRNGs are deterministic

[idontgno]

So "this one is deterministic" seems like a weak complaint.

By your standards, this PRNG isn't so bad.

Re:all PRNGs are deterministic

[CastrTroy]

Yeah, but with all the sensors on iOS devices, you would think that they would be able to make it generate numbers that look very random. Between the wireless radios, cameras, ambient light sensors, GPS, acceleration and tilt, battery voltage, and probably a few sensors I'm forgetting, they could probably make it quite close to random.

Re:all PRNGs are deterministic

[TechyImmigrant]

For crypto uses you need both deterministic PRNGs and non deterministic RNGs. You can compose a non deterministic RNG out of a PRNG an entropy source and an entropy extractor.

They have different uses. E.G. A secure PRNG can be used as a cipher. E.G. AES-CTR mode encryption is just XORing the output of a PRNG with the data.

A deterministic PRNG is a component function of larger systems. It is deterministic because that's what it is and what it needs to be.

Re:all PRNGs are deterministic

[Jmc23]

The more information and sensors you use the LESS random it will be... though it may appear more random.

Re:all PRNGs are deterministic

[TheGratefulNet]

please explain further.

I'm aware of the intel RNG that uses additional info (can't remember if it was the openbsd guys or freebsd; maybe linux but I seem to remember it was bsd that didn't trust the intel RNG and added extra sources of entropy).

I'd like to understand how adding more random sensor input can hurt randomness.

Re:all PRNGs are deterministic

[petermgreen]

For a CSPRNG* the primary aim is to make it computationally infeasable for an attacker to predict the output even if the attacker has an aribiterally long sample of the output and even if the attacker knows how much output has been requested from the prng since it started.

To do this places demands on both the prng itself (it must be computationally infeasible to reverse the operations done by the prng and hence determine it's internal state from an output sample) and on the seed data fed into the prng (it must be sufficiently unknown/unpredictable to the attacker that the attacker can't obtain the seed state through a combination of his knowlage of the state of the system and brute force checking of different seed values)

Afaict it is the latter where things usually go wrong.

* Cryptographically secure psuedo-random number generator.

Re:all PRNGs are deterministic

[Jmc23]

oh, you're talking about random sensor data. Didn't know that even existed! So is that like sensors enclosed in a bubble of spacetime?

Multiple sensors in close proximity will just get you a more accurate picture of the energetic environment at that time. Whether or not this makes it harder to hack is a different story.

Re:all PRNGs are deterministic

[LordLimecat]

If you seed from 5 sources, and only one is truly random, you still have a good seed. This is why the linux folks try to use as many sources to seed urandom as possible; they posted on this recently regarding the intel CPU hardware RNG.

Re:all PRNGs are deterministic

[TechyImmigrant]

>I'm aware of the intel RNG that uses additional info

No. It does not use 'additional info', personalization strings or derivation function. There are no external inputs when it's running. It's the simplest instantiation of an SP800-90A AES-CTR-DRBG possible.

Who told you it uses additional info? They were talking out of their arse.

Re:all PRNGs are deterministic

[Jmc23]

Don't confuse the colloquial term 'random', with the cryptographic term 'random', and the real definition of 'random'.

This is the problem with english.

Re:all PRNGs are deterministic

[TechyImmigrant]

This is true. Not something that can be said of most posts under this article.

Re:all PRNGs are deterministic

[gmueckl]

Randomness in sensor data surely exists. Take a recording with your computer's microphone or line-in port with maximum amplification and take the least significant bit of each sample. Unless you manage to get a recording where each and every sample is clipped (most won't be, even if you have clipping), the result is very random and absolutely not predictable.

Re:all PRNGs are deterministic

[InvalidError]

Intel uses a phase noise amplifier to generate a random bit stream, passes that stream through a hash algorithm to cancel hardware bias and fill/refresh an entropy buffer, hashes parts of that buffer to produce the RNG output and that output also gets hashed back in the entropy buffer to provide a high-bandwidth RNG stream.

Basically, it is a low-bandwidth true hardware RNG (something like 1Mbps) continuously seeding a high-bandwidth PRNG to amplify its bandwidth.

Re:all PRNGs are deterministic

[Jmc23]

random and not predictable (with our current limits) are two very different things.

Re:all PRNGs are deterministic

[AaronW]

The random number generator in the chips my employer makes consists of around 125 free-running ring oscillators fed into a 512-bit sha-1 engine with a feedback loop. There's a way for software to disable the ring oscillator input to test the deterministic operation of it for FIPS compliance testing. Each chip also has a unique number that is programmed in to seed it even if the ring oscillators are not input. The FIPS testing is fairly extensive from what I heard. They took many days worth of samples looking for any patterns.

Re:all PRNGs are deterministic

[LordLimecat]

I was not confusing the two. AFAIK we do have truly "random" sources, and thats what I was referring to.

I was also referring to the fact that the linux RNG uses multiple entropy sources-- including intel RdRand-- in order to address issues in any one of them. Theres a write-up here which indicates you CAN mix sources without losing entropy:
https://lkml.org/lkml/2013/9/1...

More simply, if you XOR truly random source A with compromised source B to get seed C, an attacker could know all of the output of B, but he would have no way of determining A or C-- he literally has no additional information. This is pretty trivially proveable, and if it were not true stream ciphers simply would not work (One of the values is known, but the other two cannot be determined).

Seems it would be easy to gather entropy..

[Red_Chaos1]

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Re:Seems it would be easy to gather entropy..

it's a PRNG. once seeded, PRNGs are always deterministic. i have no
idea why TFS/TFA have confused a bad seed with the fact that PRNGs
are always deterministic.

Re:Seems it would be easy to gather entropy..

[Shoten]

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Easy, but not necessarily a good idea. Picture this threat case:

Attacker has iPhone they wish to compromise. Disassemble, remove gyro, replace with appropriate component (resistor, perhaps?) to generate a steady, predictable outcome. Random seed is no longer entropic, PRNG ends up following suit.

So, to counter that, you could do entropy analysis on the incoming entropy, right? Uh oh...then your iOS boot sequence consequentially develops a dependency: if the gyro doesn't function (or the phone is very still) the phone won't even boot. PLUS you've now had to build all this functionality just to query the gyro/accelerometer into your boot-level code, along with the entropy analysis. At some point, you need to back off from packing lots of stuff into what is effectively the BIOS.

The PRNG in iOS plays a major role in everything, starting with the boot chain. So it's a bit of a challenge.

Re:Seems it would be easy to gather entropy..

[zippthorne]

Ironically, resistor thermal noise is probably a better source of entropy than the gyro would have been. Why does the boot process require random numbers, anyway?

Re:Seems it would be easy to gather entropy..

[TechyImmigrant]

That's not the job of a PRNG. Entropy gathering is something else.

Re:Seems it would be easy to gather entropy..

[SuricouRaven]

If the attacker has control of the hardware, they've already won. Just ask the games console manufacturers.

Re:Seems it would be easy to gather entropy..

That sounds like an edge case that no one should expect a manufacturer of consumer-grade phones to handle. If you're enough of a target that someone's going to hack the hardware to your phone, you should probably be buying a military-grade device (not literal) to do your work. Moreover, I'd think that if you have such requirements, then if you had a broken gyro or whatever other entropy source, you would want the device to fail to work.

Re:Seems it would be easy to gather entropy..

[AmiMoJo]

This is the early PRNG that is used before the system is booted and the sensors are working. It is used for things like address space randomization.

Re:Seems it would be easy to gather entropy..

[maccodemonkey]

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Wifi network names are not random, that's controlled by third parties.

It would be quite the attack, but in theory an attacker that could control the SSID's around the victim could influence the PRNG.

Re: Seems it would be easy to gather entropy..

Some of the sensors are pure hardware. You don't need a high level structure to read them.

Re:Seems it would be easy to gather entropy..

[Threni]

> If the attacker has control of the hardware, they've already won.

They've only won because it means they can then do this.

Re:Seems it would be easy to gather entropy..

It's only deterministic if you seed PRNG once during initialization.
Try reseeding it periodically and problem solved.

Not responsible disclosed

[Trillan]

"Mandt said he did not disclose the issue to Apple"

We really need to stop paying people — directly or indirectly — for irresponsible disclosure.

Re:Not responsible disclosed

[DigitAl56K]

How is it irresponsible disclosure?

Apple might prefer someone disclosed it to them first, whereas some of Apple's users might like to know straight away that they're vulnerable. In either case there is the chance someone less scrupulous has identified the same problem and may use for nefarious purposes.

Open disclosure is only irresponsible depending on your point of view, just like private disclosure might be irresonsible depending on your point of view. There are researchers who will argue for both sides. Open disclosure might disqualify you for being paid under some bounty programs, but then it's up to whoever runs those programs as to whether they would rather encourage at least open disclosure at a minimum based on the personal opinions and motivations of the person doing the research.

Re:Not responsible disclosed

[TechyImmigrant]

Bad PRNGs have jumped the shark. For a company like Apple to have a supposedly secure PRNG in their products and for them not to have had a group of security Nazis identify all the PRNGs in their products and make sure they're all good and fix them where not, it unconscionable.

In my company we systematically did exactly that. It's standard practice these days.

Re:Not responsible disclosed

[fnj]

How is this comment not scored 5 yet? Page after page of drivel and misconceptions, and this comment nails it.

Re:Not responsible disclosed

[DarkOx]

That and this disclosure does not immediately an exploit make. There are many steps between knowing the PRNG is weak, and being able use that in working exploit.

Re:Not responsible disclosed

[LordLimecat]

"Fixing a PRNG" if your primary business is not crypto seems like an incredibly bad idea.

Re:Not responsible disclosed

[Trillan]

Thanks for your reply. I've softened on this since making that comment. I think there's a huge grey area for responsible disclosure. A week ahead of time? A day ahead of time? I'd consider these fairly grey, but whatever. But I still think not disclosing it to Apple at all and relying on them picking it up through the grapevine is pretty irresponsible.

I've reported three security issues to Apple. While the issues I reported were relatively minor (one was a design flaw in Time Machine, the other a buffer overrun in one of the image decoders; I don't even remember which, and the final one in the DMG handling), I wasn't at all happy with how Apple handled them. I received no email until a couple weeks later when they asked me how I'd like credit. They got patched in the next version of the OS, but in both cases I was left with several weeks of wondering if they'd even read my bug report. The design flaw was easy for the user to workaround (you just had to make sure to remove insecure apps from your Time Machine backup), so I mentioned the workaround a few days after reporting it.

But I can't imagine not at least telling Apple. In fact, one of the bugs I reported was a longstanding bug I found documented in public. I was just the first one to report it to Apple. It got fixed two weeks after I reported it. I just think it's absurd that we accept the bystander effect when it comes to computer security.

(I originally wrote this reply having forgotten of one of the issues I reported, so if there's anything left that implies only two that's why.)

Re:Not responsible disclosed

[Trillan]

That's a good point, too. Disclosing a weakness is more reasonable than a ready made exploit.

Re:Not responsible disclosed

[TechyImmigrant]

More like replacing ad-hoc PRNGs with a standard's compliant ones that enjoys some consensus amongst cryptographers that it's fit for purpose.

Re:Not responsible disclosed

[AmiMoJo]

It's not irresponsible to notify the vendor at the same time as everyone else. People need to take steps to secure themselves and chances are others (e.g. the NSA) already know about this and are exploiting it.

Besides which if you want people to disclose bugs in your products to you exclusively you should pay them a bounty. Otherwise don't expect them to work for free or agree to your irresponsible NDA, expect them to put the public good first instead.

Re:Not responsible disclosed

[Trillan]

It's left implied (I think) that he didn't notify the vendor at the same time as everyone else, just that the vendor noticed the public notification.

If I'm wrong and he explicitly looped Apple in, then I'd consider that responsible (or responsible enough, at any rate).

Re:Not responsible disclosed

We really need to stop paying people â" directly or indirectly â" for irresponsible disclosure.

Apple has a long history of ignoring those kind of reports, and in some cases, shooting the messenger instead.

Just go public. Bad press is all that Apple cares about.

Re:Not responsible disclosed

[Trillan]

I've reported three security issues. Two of them were fixed in the next release — the third was fixed in the next release after that (but I reported it two days before the next release).

So I have to call bullshit. Report security issues through channels, they'll get fixed. Post them to your blog or on a forum, Apple will never see them.

Repeat repeat repeat

[Threni]

Please could you repeat some of the statements a few more times in the writeup. Focus especially on "mitigations" - you can never write that word too many times.

Why he's really complaining

[93+Escort+Wagon]

Tarjei Mandt really hates Jonny Ives' new flat icons. Note that "iOS6 was teh better!" comment?

Re:Why he's really complaining

[azav]

So do I. iOS 7 is a horrid interface.

Re:Why he's really complaining

Yes, iOS 6 was better interface and I was forced to upgrade due to SSL MITM vulnerability and now this.
Fuck.

Exploting a Weak Pr0ng for fun & profit

[mveloso]

Wow, that'll be a great session title for the next BlackHat conference.

Laugh : "surprisingly"

[FriendlyLurker]

The only thing surprising about this is that people are still surprised. Leak after leak has confirmed that encryption products from "all major vendors" have been deliberately compromised.

Re: Laugh : "surprisingly"

And yet someone replying still wants proof.

Re: Laugh : "surprisingly"

[LordLimecat]

Just because there are nefarious things going on doesnt mean that people have stopped making mistakes, or that the two are somehow mutually exclusive.

Yes, you should still want proof that this is malicious or subversive.

Re:Laugh : "surprisingly"

The only thing surprising about this is that people are still surprised. Leak after leak has confirmed that encryption products from "all major vendors" have been deliberately compromised.

Seriously, your confirmation is a link to a web search?

It's surprising because the leaks are fragmentary and incomplete. We still don't know exactly what's broken and how. That's why you can't even provide a real link that demonstrates your point. The NSA is winning the FUD war.

Re:Laugh : "surprisingly"

[thejynxed]

Of course it has, hence why all of the export controls on and other restrictions for encryption products that are actually useful, let alone the silly limitations certain OSes and other products use for key lengths.

We can't have people using encryption that actually keeps their systems and data safe, now can we. /s

Re: Laugh : "surprisingly"

[FriendlyLurker]

Yes, you should still want proof that this is malicious or subversive.

Want proof before doing what, exactly? There only needs to be a reasonable doubt about malicious, subversive or incompetent behavior by vendors of security products to justify writing those products off as untrustworthy and shunning them, at least until the doubt can be cleared. In the last year we have had a mountain of doubt dumped down on us thanks to the Snowden revelations.

It was. Read on.

[Jeremiah+Cornelius]

Now, was this a gift to the NSA, or to the Jailbreakers?

PRNG was outsourced

[ArhcAngel]

Apple didn't want another security embarrassment so they asked the NSA to supply the most secure PRNG they had.

Told you so.

[TechyImmigrant]

So while the tin-foil-hatters were all pointing their fingers at Intel, who provide a full cascade RNG that isn't weak, doesn't have a back door and has stood up to scrutiny, they weren't paying attention to the OS vendors who were getting it wrong despite the hardware available to them.

Entropy Extraction on phones

[TechyImmigrant]

The article incoherently addresses entropy extraction, not matters of PRNGs but the author doesn't appear to understand the difference.
However the 'issue' is still an issue. Predictable output is bad in this context.

What amazes me is when designers flap around looking for 'random looking' things in memory and interrupts to munch together to get entropic numbers when it's in a phone with a radio next to it which as directly sampling noise and is entirely capable of making it available to the OS for used in seeding PRNGs.

It's not just Apple. They all do it.

Re:Entropy Extraction on phones

[cryptizard]

This RNG is used for address space layout randomization though, so it must be in place before any peripherals are enabled.

Re:Entropy Extraction on phones

[TechyImmigrant]

That's a chip design problem. Power on dependencies matter.

Have access to entropy from radio

... yet fail to properly prime the PRNG? At some point you have to ask how it's even possible.

Hardware

[Quila]

The A7 has a hardware random number generator in the Secure Enclave, This isn't used where available?

Re:Hardware

I would not trust their hardware implementation either, Their is no way to verify the functionality

Re:Hardware

[Quila]

Either way, the proof of a good (P)RNG is in statistical analysis of the output.

Re:Hardware

[TechyImmigrant]

>Either way, the proof of a good (P)RNG is in statistical analysis of the output.

No. The proof of a PRNG is in mathematical analysis of the algorithm.
The proof of the implementation is in test vectors and known answer tests.

Re:Hardware

AES in counter mode with a known secret key would pass any statistical analysis suite. (At least up to a few terabytes, then you'd need to cycle the key, but it would still be completely deterministic).

Statistical analysis is in practice useless for verifying a CSPRNG. It can catch some kinds of horribly broken CSPRNGs, but in no way, shape, or form is it sufficient to prove the strength of a CSPRNG.

It's engineers such as yourself--who think they know what they're talking about--that end up shipping broken cryptographic primitives. I'm no cryptographer either, but at least I know it.

Non cryptographers can implement and design cryptographic protocols, as long as it's well trodden ground, and you employ real cryptographers to verify the design. Sometimes the context is just very unique and there is no general solution--such as bootstrapping a CSPRNG--so an engineer is stuck having devise a solution with the help of experienced cryptographers (of whom there aren't many to go around). Cryptographers experienced enough to reliably help with some issues are so few that they could fit in an average sized conference room. (Well, excluding those working at the NSA.)

Re:Hardware

The A7 has a hardware random number generator in the Secure Enclave, This isn't used where available?

My question exactly! From reading the iOS security doc, it does not seem as though the true RNG in the Secure Enclave is used other than seeding the CSPRNG.

The random numbers are to mitigate kernel exploits

[mbessey]

Why does the boot process require random numbers, anyway?

They mention this in the article - one way to make a kernel harder to write an exploit for is to randomize the layout of memory somewhat, so system libraries, kernel tables, and the like are located in different places. Obviously if the "random" numbers are predictable, this makes those mitigation techniques less-useful.

Obviously

[ThatsNotPudding]

Obviously, this researcher is holding it wrong.

hey, these random numbers aren't very random

Brings to mind the shyster that was selling tables of neutrino observatory data as random number tables in Lem's "His Master's Voice".

Also, as was noted before,

Hoodoos. Thought the matrix was full of mambos 'n' shit.

But, sadly, Occam's razor leads us to believe this is the NSA. Or Chinese. Or Israelis.
Or garden-variety laziness & incompetence.

Re:It was. Read on.

[Trillan]

I didn't see that in the article. Can you point it out? (Seriously if this is true, I really want to know.)

Hypothesis not demonstrated nor peer reviewed.

The basis of Mandt's argument is that Apple used a Linear Congruent Generator to eliminate the time-based correlation issues from iOS6's use of the Mach's absolute time values. The LCG is based on information from four sources with 13 bits of output (the 3 LSB dropped). Because the outputs are subject to having repeated outputs over a period of time there is a chance that brute force method could be used to determine the PRNG output.

He didn't demonstrate that having four sources for the values were insufficient to mitigate the sequential correlation of each individual source.

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

No. You prove your extractor function is strong. If you don't do that you have nothing.

Dodis et al. proved that CBC-MAC is a strong extractor and that is what we use in our products as a result.

LCGs are not shown to be strong extractors to my knowledge. I can see how LCGs might fail completely if the input data isn't IID. Yuval Peres whiteners are in a similar state. There are proofs of its extraction properties, but only for IID data and you cannot get IID data out of the real world.

Re:Hypothesis not demonstrated nor peer reviewed.

Except in this case, Apple didn't have a chance to prove anything. Mandt said during his presentation that he didn't disclose his concerns to Apple and they requested to see the presentation 15 minutes prior.

Again he failed to demonstrate that Apple PRNG isn't adequate. He just said that LCGs are bad, Apple used LCG from 4 sources, and therefore Apple's PRNG is bad. He gets a headline and everyone claps...

In other arenas, you bring proof or you go home.

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

This isn't a fight between Mandt and Apple. This is Apple being expected to 'do the right thing'. Using an LCG for extraction isn't close to the right thing.

Re:Hypothesis not demonstrated nor peer reviewed.

Yet it hasn't been proven that Apple did the wrong thing. Using a single LCG is weak. Using the lower bits of an LCG is bad due to the short period. Using four LCGs for the PRNG may be reasonable within an embedded environment. Sorry but simply saying LCG is bad and the other thing is better isn't enough. You have to consider wether or not the limitations of LCG were taken into account. Obviously Apple tried to account for it by using four sources and they did correctly disregard the lower bits.

Brute forcing a single source is possible but how much brute force is required when four sources are used and their phase is undetermined? Mandt didn't perform the calculations.

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

If they'd used one of the many extractors with proven properties, they would know exactly how strong it was.

Re:Hypothesis not demonstrated nor peer reviewed.

"If"

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

To be fair, I tried googling "what is a good entropy extraction algorithm" and I got back a combination of nonsense and mathematical mumbo jumbo.
Maybe Bing would give better results but I would feel dirty trying.

Re:Hypothesis not demonstrated nor peer reviewed.

No. You would already know this is called a Combined Linear Congruential Generator and you would reference a paper titled "Good Parameters and Implementations for Combined Multiple Recursive Random Number Generators" written by Pierre L'Ecuyer (May 4, 1998) to see if the period length was adequate.

In this case if we assume all sources equal we have k = 4 and a modulus of 2^13 which gives us P = (2^13 - 1)^4 / 2^3 = 5.6x10^14

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

A long period length does not make a good extractor.

Re:Hypothesis not demonstrated nor peer reviewed.

You are confusing PRNG with Randomness Extractors. The period of a PRNG is defined as the maximum over all starting states of the length of the repetition-free prefix of the sequence. In this case we are talking about 5.6x10^14.

Re:Hypothesis not demonstrated nor peer reviewed.

[TechyImmigrant]

No. I was pointing out that a PRNG isn't an entropy extractor and a PRNG with a long period still isn't an entropy extractor.

An entropy extractor has to throw out less data than it takes in in order to increase the per bit entropy. A PRNG does the opposite. It takes in a seed and throws out more data than the length of the seed.

What does Early mean?

[goombah99]

Whats this "early" mean?

Announcement from Apple

[Mike+Van+Pelt]

"Yes, our PRNG is weak. The next one we replace it with will also be weak. We can not talk about why. Draw your own conclusions."

Why don't we ever see a demonstration?

[CohibaVancouver]

Why don't these security researchers ever actually demonstrate the exploit they're talking about?

Seems to me that there are all these stories of late about how 'flaw X' *could* be used to do 'bad thing y."

Why don't these clever researchers rarely if ever demonstrate the flaw in use, in a reproducible way?

"I will now demonstrate using the faulty random number generator to attack the kernel and I will do this Really Bad Thing."

....but we never see that. We just hear about these hypothetical scenarios that create a lot of FUD and noise and a lot of scrambling from vendors and customers over nothing.

Re:It can't be!

[ArcadeMan]

Not sure if the troll mod comes from my blind trust in Apple written in the form of a joke, or from my own oversized Android display size and stupid model number signature troll.

Should be plenty of sources for entropy

[ameline]

Take a shot from each camera, sample each microphone for a few milliseconds, Sample the gyros and accelerometers for a few milliseconds. Sample the current battery voltage/charge state, Salt in the current time/date and last known location, along with the various readable serial numbers, SHA each of these sources and fold them into each other and SHA the result, and you should be good to go.

Once the device is booted, it can do a lengthy and more sophisticated RNG to make a seed that will be folded into the above entropy sources on the next boot.

But it does sound like apple should put in a good hardware entropy source on their A8 (and future) chips. (One with no NSA/CSEC/GCHQ/KGB/FSB backdoors please!)

That can also be folded into the above sources (I think you would never want to rely on only one source of entropy, no matter how good or trusted.)

Re:Should be plenty of sources for entropy

[InvalidError]

Instead of SHAing each entropy source individually, I would simply concatenate all the entropy sources together and SHA that. It saves the hash initialization, finalization and intermediate "folding" steps.

well, almost

[FormOfActionBanana]

That was for fast secure hashes, and not for psuedorandom numbers. They aren't really the exact same thing, are they?

Re:well, almost

[cryptizard]

You can make any hash function into a PRNG by repeatedly hashing a counter that is set with a random seed. Also Keccak has a mode where the output can be set to any length, which makes it explicitly a PRNG.

Re:well, almost

[FormOfActionBanana]

repeatedly hashing a counter that is set with a random seed

But I think that's exactly why you don't roll your own. That would be a predictable sequence. I could make a rainbow table of sha1('1'), sha1('2') etc. up to 4 trillion, and then by sampling a few numbers from your stream I could very quickly identify the current counter value and the next sequences for ever. Total fail, and if the seed is the system time this is only a level of abstraction more difficult. (Chess & West, p. 398)

Re:well, almost

[FormOfActionBanana]

And I am not even a crypto expert! Well, this is a very long-winded way of saying that the GP "DigitAl56K" was probably right; that we do need a clearing-house of good software cryptographic random number generators.

Re:well, almost

[cryptizard]

Every PRNG is predictable if you know or can guess the seed. That is why the seed needs to be large enough (say 128 bits) to be infeasible to brute force. If you assume that the seed is only drawn from some small range like 1 to a trillion then no matter how good your PRNG is it will be easily breakable. Rainbow tables have nothing to do with it, they only allow you to precompute instead of doing the work online. Anything you could break with a rainbow table you could also break without it, so the system has some other insecurity (in your example, too small of a seed).

Re:It can't be!

Let's say its the combination of the two.

No such thing as random number generators.

I don't know what is more surprising, that people think computer are capable of generating numbers "randomly". Or "more entropy" (aka disorder) is something people actually wish upon their system.

Understanding PRNG

[shellster_dude]

When cryptographers say that a PRNG is deterministic (in a bad sense), they usually mean it violates one of the following rules (or similar):

1) It should be realistically impossible for an outsider to determine or guess all the values that constitute a seed.
2) No matter how much of the "random stream" an attacker has seen, they should not be able to realistically determine the next value in the stream (without all the sources of entropy throughout the process).
3) Given the initial seed, an attacker should not be able to determine the random value at a point in the future because that value should constantly be affected by both new "entropy" inputs including the number of times, size, and amount of random data previously requested.

you know, brownian motion, for the kids

[Thud457]

The problem with the English is that they feel the need to tell you the whole history of the East India company just to get a nice hot cup of not-entirely-quite-unlike tea.

Because if somebody breaks THOSE ...

[Ungrounded+Lightning]

Why don't we decide on a handful of strong PRNGs, and make every major OS use them exclusively,

Maybe because if somebody then breaks one or more of THOSE they have a zero-day exploit for EVERYTHING.

While we're at it. why don't we standardize on an operating system, and version, and stop all this diversity? After all, if a committee comes up with a pick how can any individual or team invent anything better?

Genetic engineering is getting to the point that we can soon modify our children so they all have the same immune system - the best one we can find in the wild or tweak up. Why don't we do that too? After all, you'd NEVER see a disease mutate so it's fatal to everyone with that flavor of immune system, would you? B-/ (You know, like the corn blight that was fatal to the cytoplasmic male-sterile corn that was virtually all that was grown in the US in the early '70s, and nearly wiped out the crop for a year or two?)

Of course the REAL reason is because it's a FREE MARKET. Companies who's management thinks they have a better design for a random number generator get to deploy their own choice, and the customers get to decide whether they want to trust their data and critical processes to that OS or switch to some alternative (either immediately or after they pick up the pieces from the LAST set of exploits...)

Sigh

You have no idea what you're talking about.

Obligatory Random Number

http://dilbert.com/strips/comic/2001-10-25/