Deliberate or accidental? Not beyond thinking at the moment to wonder if this could have been deliberate or that they received some form of payment or other advantage for doing so.
iOS 7's weak random number generator stuns kernel security – claim
In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 – but a security researcher believes Cupertino inadvertently downgraded security. The issue is outlined here by Azimuth Security, whose Tarjei Mandt also detailed the issue at last week's CanSecWest conference …
-
-
Monday 17th March 2014 03:17 GMT Anonymous Coward
Apple just isn't world class in security, and never have been
Considering Apple was last on the NSA's list of "cooperating" companies, years after Microsoft, Google and Facebook caved, I don't think this is too likely to be the case, especially with all the attention that such NSA cooperation has received of late.
You know the old saw: Never attribute to malice that which is adequately explained by incompetence.
Apple could really benefit from the hiring of a world recognized security expert to lead their efforts, with commensurate budget to enable him to hire people as needed to identify and plug these gaps. Apple seems to be where Microsoft was a decade ago before they were forced by the pressure from all sides to take security more seriously. Hopefully Apple won't have to go through a "Code Red" type scenario and be embarrassed into it, but will be smart enough to do it of their own volition.
-
Monday 17th March 2014 04:11 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
"Considering Apple was last on the NSA's list of "cooperating" companies, years after Microsoft, Google and Facebook caved..."
And interestingly enough, OS X suddenly was approved for DoD usage after they caved.
Coincidence, I'm sure.
-
Monday 17th March 2014 08:16 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
Yeah, I'm sure Apple is going to sell out for the few thousands of Macs that will sell into the DoD which is Windows through and through. Because, you know, they need those extra few million in sales to go with the tens of billions they sell every quarter.
But feel free to continue with the conspiracy theories. Did Google get their code from the Roswell saucer, or was that Facebook? I keep forgetting.
-
Monday 17th March 2014 08:28 GMT Busby
Re: Apple just isn't world class in security, and never have been
Is it really beyond thinking the NSA could have made a you scratch my back reciprocal deal? For example by agreeing to hand over to Apple anything they can find on a certain Korean firms future plans. Not so long ago this type of thought would have fallen firmly in the tinfoil hat area. These days though who knows, that type of spying for US companies has been rumoured since the early days of echelon.
Sloppiness around this sort of security is inexcusable for a company with their resources. Even if unintentional people are likely to assume otherwise in the current climate.
-
Monday 17th March 2014 20:11 GMT Anonymous Coward
@Busby
Yes, I think it is beyond thinking as Apple hasn't seemed too interested in copying what Samsung does at all, let alone in advance. They haven't even made a big iPhone yet, and they haven't required early access to Samsung's plans to know the next Galaxy will be at least as big as the one before it, year after year.
Not saying Apple hasn't done of the same things after Samsung did them, but whether they actually copied Samsung (or one of the other Android vendors that did those things before Samsung with less fanfare) or whatever that doesn't mean they'd want early access to their plans to copy them sooner. Apple's sales don't seem to be affected by not having stuff Samsung owners consider indispensable, like NFC.
-
Monday 17th March 2014 20:24 GMT asdf
Re: @Busby
Just to clarify something for the UK readers who maybe haven't been to the US. We (the US public) really aren't as protective of our supposedly national companies such as Apple as say many in Europe are of theirs. Companies like Apple outsource most of their business anyway. The North American market is fairly open and our nationalism seems to rarely extend to our corporate masters. I have heard the same argument made about the Xbox (last generation) and I think it has a lot less to do with nationalism and more to do with better marketing in the market. We also quit buying American when it largely became impossible to do so anymore for most things (you can still get plenty of American made financial derivatives but I digress). The only time really nationalism comes up with brands is with some obvious Chinese brands for geopolitical reasons. This also speaks to how poorly Chinese branding still is as much as American jingoism.
-
Tuesday 18th March 2014 06:29 GMT Busby
Re: @Busby
Not sure what business your in but I think any company would find it benefitial to get a peek at competitors plans. You dont need to be copying products there are plenty of ways to leverage an advantage beyond stealing technology. I only raised this as a possibility personally think its unlikely to have gone down this way.
Brings me back to a point I raised earlier though it goes beyond sloppiness for this sort of error to appear currently. All technology companies are well aware of the growing backlash against NSA / GCHQ even the appearance of cooperation is enough to lose what little trust remains. Any inbuilt weakness similar to those previously engineered by the NSA is going to be jumped on publicly.
-
-
-
Monday 17th March 2014 12:42 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
i recall an NSA memo where they say something like "iPhones are marvellous devices that provide plenty of information", which means, at least to me, that the NSA didn't need the help from Apple. But soon the iboys and igirls of this world started to use imessages, the DEA http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/, complained about the encryption.
-
-
Monday 17th March 2014 12:13 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
>And interestingly enough, OS X suddenly was approved for DoD usage after they caved.
Nothing sudden about it at all - it took that long for Apple to meet spec - but it was too late by then...The US Navy were amongst the biggest users of Xserve servers since day one - but they ran Yellow Dog not OSX.
-
-
Monday 17th March 2014 23:44 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
"Apple just isn't world class in security, and never have been"
And yet iOS is the first widely adopted consumer OS that I'm aware of where all 3rd party apps are sandboxed. As a result, malware for iOS is basically a non-issue. Can't say the same for Android.
-
-
Tuesday 18th March 2014 09:39 GMT Anonymous Coward
Re: Apple just isn't world class in security, and never have been
"What difference does it make? Apple's wonderful sandbox gives you enough to compromise the prng."
Erm, not sure you're understanding the issue at hand here. Actually, pretty sure you aren't. The problem is if apps use the PRNG that Apple provides to try to do something that requires a secure PRNG, e.g., encrypt something. (And I'd assume that most apps that need a secure PRNG use their own and don't rely on the system's, where the quality of the RNG is basically unknown.) Nothing has anything to do with the sandboxing of anything.
-
-
-
-
-
-
Monday 17th March 2014 12:39 GMT Michael H.F. Wilkinson
Re: SIlly question but...
That's one solution. I also like the least significant bits of the output of a covered webcam with gain at maximum. Really random bits are easily obtained from noise in the outside world if your device has inputs like cameras and microphones.
For quick and dirty work NOT involving security (but e.g. for Monte-Carlo simulations) I used to use the additive PRNG from Knuth (with 2^55-1 period). This needs 55 seeds in my case, and webcam noise or similar is fine for that. With the development of the Mersenne Twister this subtractive generator is a bit out of date. I gather it is faster (and also faster than the LCG), however.
-
-
Monday 17th March 2014 22:06 GMT John Gamble
Re: SIlly question but...
As good as Knuth is, there's been a lot of advancement since he wrote that PRNG (assuming I'm thinking of the same one as the OP of this thread). Mersenne Twister is very good (although not a cryptographic PRNG) and it has implementations in a lot of different languages (which the Wikipedia article links to).
I'm wondering about the name of the function -- is early_random() only supposed to be run before iOS7 accumulates enough entropy to use its standard random number function? The articles linked to don't seem to say.
-
Tuesday 18th March 2014 07:55 GMT Michael H.F. Wilkinson
Re: SIlly question but...
I would use the Mersenne Twister now, in particular because loads of implementations exist (R, matlab, PHP, Python, GNU Scientific Library, etc). When I implemented the additive (or subtractive) generator (1989) it did not exist, and most if not all languages used the LCG. Knuth's one is a variant of the Lagged Fibonacci generator. Apart from being a better generator than the LCG, if initialized properly, it is much faster, because I only have to do one subtraction, and a conditional addition (if the result of the subtraction is negative, which is a cheap test), as opposed to a multiplication, modulus, and addition for the LCG. Numerical Recipes in C has an implementation (ugly code, but it works). The speed difference on an 8 MHz 80286 (used for image processing) was massive.
-
Tuesday 18th March 2014 20:59 GMT Michael Wojcik
Re: SIlly question but...
I would use the Mersenne Twister now, in particular because loads of implementations exist (R, matlab, PHP, Python, GNU Scientific Library, etc).
Agreed.
If for some reason the Twister was not suitable for a non-cryptographic PRNG application (though I can't think of any reasons why that might be, off the top of my head) that required something better than an LCPRNG, I'd probably recommend Marsaglia's Complementary-Multiply-with-Carry (CMWC) generator. He posted an implementation to Usenet some years back; it shouldn't be hard to find.
-
-
-
-
Tuesday 18th March 2014 21:07 GMT Michael Wojcik
Re: SIlly question but...
...what would be wrong with the output of a reverse-biased transistor being used to seed ye olde Merseinne Twister?
You'd have to reseed frequently to avoid running out of entropy. With a cryptographic PRNG (CPRNG), the PRNG is just there as a schedule and whitener for the entropy source. Between seedings, an attacker could grab output from your CPRNG and use it to reconstruct part of the CPRNG's internal state; then brute-force the rest.
The security of the CPRNG rests on raising the work factor of those two steps (reconstructing and brute-forcing internal state) by 1) gathering additional entropy often enough, 2) not leaking entropy too quickly in the output,1 and 3) using a trapdoor function to convert internal state to output.
1Of course, it has to put some entropy in the output; that's what keeps it from being trivially predictable. A generator that always outputs "1" leaks no entropy but doesn't do any good either. (ObXKCD ... oh, look it up yourselves.)
-
-
Monday 17th March 2014 09:40 GMT Anonymous Coward
After being caught out recently for failing to validate certificates (which allowed secure connections to be eavesdropped), I wouldn't be surprised if this was deliberate. The NSA has meddled with random number generation before and given Apple is a "cooperating company", there's a good chance it was deliberately coded this way.
-
-
Monday 17th March 2014 16:02 GMT Michael Habel
Obligatory http://xkcd.com/221/
Hummm now where have I seen that exact same line of Code before?
http://www.engadget.com/2010/12/29/hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm/
Needless to say as an Owner of a vintage 2010 21xx PS3 Slim I'm very grateful to that little piece of Code!
-
Monday 17th March 2014 18:16 GMT Peter Rathlev
XKCD was first
http://xkcd.com/221/
http://www.engadget.com/2010/12/29/hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm/
Judging from both the "Last-Modified:" header of the XKCD image and the Wayback Machine it seems Engadget borrowed it from Randall, not the other way around. Which may have been your point, but I just wanted to make sure we're all on the same page. :-)
XKCD uses a CC BY-NC license so Engadget should have mentioned from where they borrowed the image.
-
-
-
Monday 17th March 2014 13:59 GMT Tim 11
Is this random number generator actually used in security applications?
There's an inference in the tone of the article that this "early_random" PRNG is used for cypto/security purposes but it isn't actually stated anywhere.
From my understanding, cryptographically secure random numbers in IOS are generated using SecRandomCopyBytes which is a different mechanism and uses entropy from the microphone, wi fi, accelerometer etc.
if all you can do by cracking early_random is cheat in some games, this isn't really all that newsworthy
-
Monday 17th March 2014 15:34 GMT Anonymous Coward
Poor PRNG but should not be used in cryptography anyway
OK it sounds a pretty poor PRNG even for an LCG it sound like the values chosen were very poor. I sometimes write simple PRNG for emebdded applications using LCGs and properly chosen values give much better reccurrence periods than this but no one should be using a PRNG generator for cryptographic purposes anyway except perhaps short sequences initialised from a real random number generator and even then with extreme caution perhaps just as padding before encryption or something similarilly innocuous.
-
Monday 17th March 2014 15:55 GMT Spoonsinger
1011111011110010100101001010011011110001010011001010110...
101000101101001101010101010101010010110100011111111100100100011000000101000011111110000011110000100010001010100100101111110001010101010101011100101001001010100101111111111100000111111100101010101010010011100101000100110001001010101010101011111110001010101001010111100010101000111100101001010101011111110000011001010#
That's all I have to say on the matter.
-
Monday 17th March 2014 16:51 GMT Don Mitchell
Never use RAND()
There is a long history of bad random number generators in operating systems. At Bell Labs, Jim Reeds and I implemented a series of statistical randomness tests (Knuth's plus others) to explore this problem. BSD 4.something was out then, and my lab was using it. The random generator was a linear feedback type, and it failed the tests badly. Jim and I discovered that there was an off-by-one mistake in the position of the feedback tap, but when we contacted the student at UCB who wrote it, he told us to fuck off. Even today, you can find both the fixed and the broken version of this generator in UNIX distributions. Of course the random generator in windows was always terrible (16 bits, like this apple subroutine).
A very good generator is Marsaglia's multiply-with-carry. Fast, simple, and it passes every test I've ever tried.
unsigned ML_nMarsagliaX = 886459;
unsigned ML_nMarsagliaC = 361290869;
unsigned
ML_RandomUnsigned()
{
unsigned __int64 n;
n = __emulu(1965537969, ML_nMarsagliaX);
n = n + ML_nMarsagliaC;
ML_nMarsagliaX = unsigned(n & 0xFFFFFFFF);
ML_nMarsagliaC = unsigned(n >> 32);
return ML_nMarsagliaX;
}
These are not cryptographically strong generators, and I'm not sure what iOS is doing with them. They are appropriate for things like monte carlo calculations and simulations, but not for cryptography.
-
Monday 17th March 2014 18:10 GMT Alan Johnson
Re: Never use RAND()
From the code Marsaglia's is just an LCG - nothing wrong with that of course as long as the values are well chosen. Efficency wise I do not see the benefit of the 64 bit multiply all the upper bits get dropped later anyway. I like having more state than the output so if you have a 32 bit output you have 64 bits of state and a period (with well chosen constants) of 2^64-1.
Teh real point is use a PRNG for test data, simulation, monter carlo methods, padding etc but not cryptographic key generation etc.
-
Tuesday 18th March 2014 21:15 GMT Michael Wojcik
Re: Never use RAND()
"Never" is a bit strong. There's nothing wrong with the typical rand1 implementation for trivial applications, such as some games, some pseudo-random testing, etc. Of course the applicable standards impose few requirements on rand, but they do in effect constrain the amount of internal state (because it has to be set in its entirety by srand).
The classic example of a terrible LCRNG implementation is IBM's RANDU, roundly excoriated by pretty much everyone in the biz, including Knuth and Marsaglia.
1In hosted environments with case-sensitive linkage, the C, C++, and Single UNIX Specification standards require lower case for this function's name.
-
-
Monday 17th March 2014 21:59 GMT Adam 1
Question for the cryptographers here. If I have two RNGs, one "good" and one compromised and I XOR them, does this result in another "good" RNG or is it slightly or wholly compromised by the input that is compromised? To me on the surface it would seem to still be "good" but I don't know why I think that.
Assuming for a minute that I am right here, surely the best available RNG would be basically an XOR across as many RNG streams as you can access?
-
Tuesday 18th March 2014 21:21 GMT Michael Wojcik
Treating the process as a black box, you're no better off by most metrics than you were before you started combining - it doesn't add any entropy or improve scheduling, for example. It can increase cycle length but that's a very minor benefit at best.
And it can worsen the output. Try XORing two generators that produce exactly the same output.
Because it's a symmetric bitwise operation, it shouldn't leak any additional information through most side channels (power, timing), though it's conceivable there might be a detectable effect in, say, EMF. That's not a concern for most devices but that sort of attack has been used successfully against tamper-proof hardware, at least in the lab, where you can get probes quite close to circuits.
There's no need to mix up a witch's brew of PRNGs. We have well-known, widely-implemented PRNGs, and while there's still plenty of room for research into CPRNGs, there are well-known ones that are believed strong enough for pretty much everyone's purposes. (Just don't use Dual_EC_DRBG.)
-
Tuesday 18th March 2014 21:31 GMT Michael Wojcik
Oh for the love of...
uses what's called a linear congruential generator (LCG) to provide entropy for the PRNG
No, no, no. An LCG, or any other deterministic algorithm,1 cannot provide entropy. A deterministic algorithm can discard information entropy; it cannot produce it.
In a CPRNG, the PRNG schedules and whitens entropy - it doles it out, mixing it in with a bunch of internal state and a (hopefully) trapdoor function2 so that it's infeasible for an observer to distill enough of the entropy to accurately simulate the CPRNG.
Apple's mistake (assuming the article is otherwise accurate) is in using an LCRNG rather than a trapdoor function, and probably in exposing too much internal state, which in effect means exposing too much entropy. Whether they're gathering enough (or indeed any) entropy in the first place, and whether they're adding entropy to the pool as required, are other questions.
On the other hand, the post from Tim 11 above suggests this is an application error - this generator perhaps is not intended for CPRNG use.
1That is, any computable function (if the C-T thesis is correct), or at least any function computable by a Turing Machine or equivalent (Post Machine, 2PDA, etc). "Algorithm" can reasonably be used for some non-computable processes which may or may not be deterministic.
2That is, a function which is much easier to compute than its inverse is, assuming P ≠ NP.