[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[liberationtech] Google confirms critical Android crypto flaw

To: [email protected], [email protected]
Subject: [liberationtech] Google confirms critical Android crypto flaw
From: [email protected] (Stephan Neuhaus)
Date: Thu, 15 Aug 2013 17:52:37 +0200
In-reply-to: <[email protected]>
References: <[email protected]>

On 15.08.2013 16:25, Eugen Leitl wrote:
> ----- Forwarded message from Maxim Kammerer <[email protected]> -----
>
> Date: Thu, 15 Aug 2013 15:38:56 +0300
> From: Maxim Kammerer <[email protected]>
> To: liberationtech <[email protected]>
> Subject: Re: [liberationtech] Google confirms critical Android crypto flaw
> Reply-To: liberationtech <[email protected]>
>
> On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
> <[email protected]> wrote:
>> The best description is here:
>> http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html


> Unbelievableâ?¦ It seems that PRNG implementers suffer from NIH
> syndrome. If you are going to use /dev/urandom, then use it all the
> time, and rely on code that's reviewed and maintained by thousands of
> kernel people, not just your favorite buggy seeded PRNG du-jour.

Or, if you decide to roll your own, at LEAST read Peter Gutmann's 1998 
Usenix Security paper on the topic [1] or read the respective chapter in 
his book [2].

Stephan

[1] http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix98.pdf
[2] Peter Gutmann, Cryptographic Security Architecture, Springer Verlag, 
2004.

References:
- [liberationtech] Google confirms critical Android crypto flaw
  - From: [email protected] (Eugen Leitl)

Prev by Date: see something, say something stamps
Next by Date: [guardian-dev] An email service that requires GPG/PGP?
Previous by thread: [liberationtech] Google confirms critical Android crypto flaw
Next by thread: [guardian-dev] An email service that requires GPG/PGP?
Index(es):
- Date
- Thread