[cryptography] Android SecureRandom poor entropy
noloader at gmail.com
Sun Aug 25 17:10:49 EDT 2013
On Sun, Aug 25, 2013 at 4:45 PM, Marco Pozzato <mpodroid at gmail.com> wrote:
> Recently, android SecureRandom PRNG proved to be seriously flawed
> because, by default, it is not properly initialized with "good" entropy.
> The weakness is very critical, because initial state is practically affected
> only by process ID: when an application starts with the same PID, it
> generates the very same sequence of pseudo-random numbers.
I think its even worse than that - even the system entropy pool needs
help. Take a look at addDeviceSpecificEntropy() in
EntropyService.java. For the most part, AOSP repeatably adds the same
data from the device. The only differentiating data is
System.currentTimeMillis() and System.nanoTime().
There's even some developer humor in their:
out = new PrintWriter(new FileOutputStream(randomDevice));
out.println("Copyright (C) 2009 The Android Open Source Project");
out.println("All Your Randomness Are Belong To Us");
In the past, Hedging was suggested to improve the pool state, but I'm
not aware of any interest in the improvements. See
> Many bitcoin applications suffered this issue and some bucks has been lost.
> Are you aware of some lists of flawed applications, not only related to
> bitcoin, but also in other cryptography and security domain?
Not quite the answer you are looking for, but it may help with
determining the breadth of the issue. Symantec performed an analysis,
and over 360,000 applications were using SecureRandom. Of those,
320,000 could be affected. Unfortunately, the categories were
Productivity, Fun and Games, and similar; and not Cryptography or
More information about the cryptography