[cryptography] Android SecureRandom poor entropy

Marco Pozzato mpodroid at gmail.com
Sun Aug 25 16:45:55 EDT 2013


Hi all,

I'm CTO at PrivateWave, developing solutions for secure telephony.

Recently, android SecureRandom PRNG proved to be seriously flawed (
http://android-developers.blogspot.it/2013/08/some-securerandom-thoughts.html)
because, by default, it is not properly initialized with "good" entropy.

The weakness is very critical, because initial state is practically
affected only by process ID: when an application starts with the same PID,
it generates the very same sequence of pseudo-random numbers.

Many bitcoin applications suffered this issue and some bucks has been lost.

Are you aware of some lists of flawed applications, not only related to
bitcoin, but also in other cryptography and security domain?

Our product, PrivateGSM, is not affected and I want to express here my
thanks to Philip Zimmermann, who I had the pleasure and the honor to work
with some years ago, when we was advisor in PrivateWave's scientific board
and we jointly worked on the first mobile ZRTP client and designed a
bitstream variant of ZRTP protocol, so called ZRTP/S.

He insisted a lot on initializing PRNG with good entropy, such as noise
from microphone, not trusting OS. Now I can fully and better appreciate
that hint: thanks Phil.


I'd like to share with you the results of some tests we run on android
devices to assert the weakness of SecureRandom, without proper
initialization.

Flawed: after a few hundreds runs, PIDs start duplicating and the very same
sequence is generated:

   - Android Simulator 4.2
   - Galaxy Nexus 4.3
   - Samsung Galaxy S4 4.2.2
   - HTC One X 4.1.1
   - Motorola Razr 4.1.2


Apparently not flawed: despite PIDs duplicates, random does not repeats.

   - Samsung Galaxy Note II 4.1.2
   - Samsung Galaxy S3 4.1.2
   - Samsung Galaxy SII 4.1.2
   - Motorola Defy Cyanogen 10.1


Then, we decided to continue our tests to assert the quality of
SecureRandom: DieHard test proved a good quality of sequence generated with
SecureRandom...

...as long as you you start in the right way :-)


Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130825/5faf34fa/attachment.html>


More information about the cryptography mailing list