Received: by 10.236.157.230 with SMTP id o66mr1598534yhk.20.1342728844860;
Thu, 19 Jul 2012 13:14:04 -0700 (PDT)
X-BeenThere: android-security-discuss@googlegroups.com
Received: by 10.236.120.110 with SMTP id o74ls6160829yhh.2.gmail; Thu, 19 Jul
2012 13:13:57 -0700 (PDT)
Received: by 10.236.77.200 with SMTP id d48mr1549475yhe.17.1342728837233;
Thu, 19 Jul 2012 13:13:57 -0700 (PDT)
Received: by 10.236.77.200 with SMTP id d48mr1549472yhe.17.1342728836858;
Thu, 19 Jul 2012 13:13:56 -0700 (PDT)
Return-Path: <n...@google.com>
Received: from mail-yw0-f41.google.com (mail-yw0-f41.google.com [209.85.213.41])
by gmr-mx.google.com with ESMTPS id e37si796145yhi.1.2012.07.19.13.13.56
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 19 Jul 2012 13:13:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of n...@google.com designates 209.85.213.41 as permitted sender) client-ip=209.85.213.41;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of n...@google.com designates 209.85.213.41 as permitted sender) smtp.mail=...@google.com; dkim=pass header...@google.com
Received: by yhr47 with SMTP id 47so3217889yhr.28
for <android-security-discuss@googlegroups.com>; Thu, 19 Jul 2012 13:13:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type:x-system-of-record;
bh=otXT1VCYMD5xtyczq46KQP4WQ3UdBpojioawbIZzWlc=;
b=dimhYilymY1aP5AQLgJYzAg4PgoIEf1UnHgD9uZCf0NkeuRUA6KHog+CMQytlmiPUe
s3ejr+6Zn9F4noGFyEPoXOuQIwN+BIczJDuCWAT7Y9XJ7G9n+YdHxQBFRLbVSo1qTwnV
fO59KNav7JYJb587zPN4rG5U+gJDfPuGMH849rpvt3Dd4Ql0jV6VWIoPC3LSoQyVOAd3
9COcV6EK61leF1XkppLmMlVU42lc6Kw1OBc3/1zKCm/Ku1j+npHgJAk757QqUkIajfJq
a9CRTBfR7krhpPofKe+DLHIE+Wub8iC8EBjBj4TyvkR/qVnJZikcab6dhAuNZa9W5wkP
AdLQ==
d=google.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:cc:content-type:x-system-of-record:x-gm-message-state;
bh=otXT1VCYMD5xtyczq46KQP4WQ3UdBpojioawbIZzWlc=;
b=AdSQg/xs7JpR6cQkIQJkDMIsyZailNlibKSs7MAqyPLzS6GhmEDi5PMxbaWnYax2Hs
Q6hDxK2holP0f2kO01s3gtNdiee1l9ThtOTJhTS5MuI1XWsD1WKkJwd8kyZGIoK86JtF
5vHzFY+BgF9z3eH8koCmtCz/BqnuPZzksfhl88IkiIdyiqVJn3YvgMS2gHWFZQvh/acA
uCbF0vDjgXk/ceFvHNEXkVmn0Zi5t1SK/ZIETZR14EAV+g8PhzQxfuB++Tt1ap/PzcRl
MyxxlcVHr+u9bODwCs99GbYBFL90z6N15+7a6MxTbrLJp4Su35lmoR6IEXJHyngH3wcW
NX0Q==
Received: by 10.50.188.233 with SMTP id gd9mr6533824igc.73.1342728836589;
Thu, 19 Jul 2012 13:13:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.188.233 with SMTP id gd9mr6533813igc.73.1342728836313; Thu,
19 Jul 2012 13:13:56 -0700 (PDT)
Received: by 10.50.109.202 with HTTP; Thu, 19 Jul 2012 13:13:56 -0700 (PDT)
In-Reply-To: <597652.19838...@smtp103.mail.ukl.yahoo.com>
References: <CAH8yC8=tpjHKv4ode6VtmgrEbo=jRk4FNGBXwE0hm9OjBy6...@mail.gmail.com>
<CAFJ0LnG2WDcy9d=0genPOpqbMcOFb_cSrAB+gvwb5RGYHwL...@mail.gmail.com>
<597652.19838...@smtp103.mail.ukl.yahoo.com>
Date: Thu, 19 Jul 2012 13:13:56 -0700
Message-ID: <CAFJ0LnGdCEjLMi=NSGju-ijH8FrJSjXeZ-j3WkE8krcW5n5...@mail.gmail.com>
Subject: Re: [android-security-discuss] Mining Your Ps and Qs: Detection of
Widespread Weak Keys in Network Devices
From: Nick Kralevich <n...@google.com>
To: Kevin Chadwick <ma1l1i...@yahoo.co.uk>
Cc: android-security-discuss@googlegroups.com
Content-Type: multipart/alternative; boundary=14dae934085d51724004c5346bfb
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQl+3HlxChwtpt8qWcAa5vrnbYFR8/qXYBP9q6oW1OUETUt9nQSZHHt0pLjakuRJS6XfK4XbQdWhjiMOu0OkGNMz6+vDyh3Hzjq6ku69cWzSjGsrbUEdDlXcX6pdl1k3RS9OlrD/lPRx4g0XPo+49Es1InSvKFWv5SbDasA8s/VyRq4jNElMS4KJ6dp+MmKuq2V4Yy1RPJ9rkBCaI9WLy1I8rtYI3g==
--14dae934085d51724004c5346bfb
Content-Type: text/plain; charset=UTF-8
On Thu, Jul 19, 2012 at 4:37 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk>wrote:
> > For what it's worth, in Android, we do more than suggested by "man 4
> > random". Most Linux systems just save and restore entropy across boots,
> and
> > don't feed in device specific information into the pool. In Android, we
> add
> > device specific data to the entropy pool, to (help) prevent device class
> > attacks. Two Android systems with different device device IDs should
> never
> > have their entropy pool in the same state.
>
> Two android systems with the SAME device ID should never have their
> entropy pool in the same state either. Couldn't this specific data be
> known/found anyway. Every system should have unique data to use.
>
>
We mix the device serial number into the /dev/random entropy pool. Two of
the same device with different serial numbers will have a DIFFERENT entropy
state.
Android primarily uses the Linux kernel's /dev/random and /dev/urandom
interface for generating random data. We use whatever entropy is collected
by the kernel to improve the quality of the data in the randomness pool.
Data we feed into /dev/random only helps mix this pool further.
*
*
The actual code which is responsible for this is:
https://code.google.com/p/android-source-browsing/source/browse/services/java/com/android/server/EntropyMixer.java?repo=platform--frameworks--base
Specifically:
/**
* Add additional information to the kernel entropy pool. The
* information isn't necessarily "random", but that's ok. Even
* sending non-random information to {@code /dev/urandom} is useful
* because, while it doesn't increase the "quality" of the entropy pool,
* it mixes more bits into the pool, which gives us a higher degree
* of uncertainty in the generated randomness. Like nature, writes to
* the random device can only cause the quality of the entropy in the
* kernel to stay the same or increase.
*
* <p>For maximum effect, we try to target information which varies
* on a per-device basis, and is not easily observable to an
* attacker.
*/
private void addDeviceSpecificEntropy() {
PrintWriter out = null;
try {
out = new PrintWriter(new FileOutputStream(randomDevice));
out.println("Copyright (C) 2009 The Android Open Source Project");
out.println("All Your Randomness Are Belong To Us");
out.println(START_TIME);
out.println(START_NANOTIME);
out.println(SystemProperties.get("ro.serialno"));
out.println(SystemProperties.get("ro.bootmode"));
out.println(SystemProperties.get("ro.baseband"));
out.println(SystemProperties.get("ro.carrier"));
out.println(SystemProperties.get("ro.bootloader"));
out.println(SystemProperties.get("ro.hardware"));
out.println(SystemProperties.get("ro.revision"));
out.println(new Object().hashCode());
out.println(System.currentTimeMillis());
out.println(System.nanoTime());
} catch (IOException e) {
Slog.w(TAG, "Unable to add device specific data to the entropy
pool", e);
} finally {
if (out != null) {
out.close();
}
}
}
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/rnd.c?rev=1.140;content-type=text%2Fplain
>
> --
> ________________________________________________________
>
> Why not do something good every day and install BOINC.
> ________________________________________________________
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> android-security-discuss+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
>
--
Nick Kralevich | Android Security | n...@google.com | 650.214.4037
--14dae934085d51724004c5346bfb
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<br><br><div class=3D"gmail_quote">On Thu, Jul 19, 2012 at 4:37 AM, Kevin C=
hadwick <span dir=3D"ltr"><<a href=3D"mailto:ma1l1i...@yahoo.co.uk" targ=
et=3D"_blank">ma1l1i...@yahoo.co.uk</a>></span> wrote:<br><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;p=
adding-left:1ex">
<div class=3D"im">> For what it's worth, in Android, we do more than=
suggested by "man 4<br>
> random". Most Linux systems just save and restore entropy across =
boots, and<br>
> don't feed in device specific information into the pool. In Androi=
d, we add<br>
> device specific data to the entropy pool, to (help) prevent device cla=
ss<br>
> attacks. Two Android systems with different device device IDs should n=
ever<br>
> have their entropy pool in the same state.<br>
<br>
</div>Two android systems with the SAME device ID should never have their<b=
r>
entropy pool in the same state either. Couldn't this specific data be<b=
r>
known/found anyway. Every system should have unique data to use.<br>
<br></blockquote><div><br></div><div>We mix the device serial number into t=
he /dev/random entropy pool. Two of the same device with different serial n=
umbers will have a DIFFERENT entropy state.</div><div><br></div><div>Androi=
d primarily uses the Linux kernel's /dev/random and /dev/urandom interf=
ace for generating random data. We use whatever entropy is collected by the=
kernel to improve the quality of the data in the randomness pool. Data we =
feed into /dev/random only helps mix this pool further.</div>
<div><b><br></b></div><div>The actual code which is responsible for this is=
:</div><div><br></div><div><a href=3D"https://code.google.com/p/android-sou=
rce-browsing/source/browse/services/java/com/android/server/EntropyMixer.ja=
va?repo=3Dplatform--frameworks--base">https://code.google.com/p/android-sou=
rce-browsing/source/browse/services/java/com/android/server/EntropyMixer.ja=
va?repo=3Dplatform--frameworks--base</a></div>
<div><br></div><div>Specifically:</div><div><br></div><div><div><font face=
=3D"courier new, monospace">/**</font></div><div><font face=3D"courier new,=
monospace">=C2=A0* Add additional information to the kernel entropy pool. =
=C2=A0The</font></div>
<div><font face=3D"courier new, monospace">=C2=A0* information isn't ne=
cessarily "random", but that's ok. =C2=A0Even</font></div><di=
v><font face=3D"courier new, monospace">=C2=A0* sending non-random informat=
ion to {@code /dev/urandom} is useful</font></div>
<div><font face=3D"courier new, monospace">=C2=A0* because, while it doesn&=
#39;t increase the "quality" of the entropy pool,</font></div><di=
v><font face=3D"courier new, monospace">=C2=A0* it mixes more bits into the=
pool, which gives us a higher degree</font></div>
<div><font face=3D"courier new, monospace">=C2=A0* of uncertainty in the ge=
nerated randomness. =C2=A0Like nature, writes to</font></div><div><font fac=
e=3D"courier new, monospace">=C2=A0* the random device can only cause the q=
uality of the entropy in the</font></div>
<div><font face=3D"courier new, monospace">=C2=A0* kernel to stay the same =
or increase.</font></div><div><font face=3D"courier new, monospace">=C2=A0*=
</font></div><div><font face=3D"courier new, monospace">=C2=A0* <p>Fo=
r maximum effect, we try to target information which varies</font></div>
<div><font face=3D"courier new, monospace">=C2=A0* on a per-device basis, a=
nd is not easily observable to an</font></div><div><font face=3D"courier ne=
w, monospace">=C2=A0* attacker.</font></div><div><font face=3D"courier new,=
monospace">=C2=A0*/</font></div>
<div><font face=3D"courier new, monospace">private void addDeviceSpecificEn=
tropy() {</font></div><div><font face=3D"courier new, monospace">=C2=A0 =C2=
=A0 PrintWriter out =3D null;</font></div><div><font face=3D"courier new, m=
onospace">=C2=A0 =C2=A0 try {</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out =
=3D new PrintWriter(new FileOutputStream(randomDevice));</font></div><div><=
font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.printl=
n("Copyright (C) 2009 The Android Open Source Project");</font></=
div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.=
println("All Your Randomness Are Belong To Us");</font></div><div=
><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.prin=
tln(START_TIME);</font></div><div><font face=3D"courier new, monospace">=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 out.println(START_NANOTIME);</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.=
println(SystemProperties.get("ro.serialno"));</font></div><div><f=
ont face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.println=
(SystemProperties.get("ro.bootmode"));</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.=
println(SystemProperties.get("ro.baseband"));</font></div><div><f=
ont face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.println=
(SystemProperties.get("ro.carrier"));</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.=
println(SystemProperties.get("ro.bootloader"));</font></div><div>=
<font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.print=
ln(SystemProperties.get("ro.hardware"));</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.=
println(SystemProperties.get("ro.revision"));</font></div><div><f=
ont face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.println=
(new Object().hashCode());</font></div><div>
<font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.print=
ln(System.currentTimeMillis());</font></div><div><font face=3D"courier new,=
monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 out.println(System.nanoTime());</fo=
nt></div><div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 } catch (=
IOException e) {</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 Slog=
.w(TAG, "Unable to add device specific data to the entropy pool",=
e);</font></div><div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 }=
finally {</font></div><div><font face=3D"courier new, monospace">=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 if (out !=3D null) {</font></div>
<div><font face=3D"courier new, monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 out.close();</font></div><div><font face=3D"courier new, monospa=
ce">=C2=A0 =C2=A0 =C2=A0 =C2=A0 }</font></div><div><font face=3D"courier ne=
w, monospace">=C2=A0 =C2=A0 }</font></div><div><font face=3D"courier new, m=
onospace">}</font></div>
</div><div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<a href=3D"http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/rnd.c?rev=3D1.=
140;content-type=3Dtext%2Fplain" target=3D"_blank">http://www.openbsd.org/c=
gi-bin/cvsweb/src/sys/dev/rnd.c?rev=3D1.140;content-type=3Dtext%2Fplain</a>=
<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
________________________________________________________<br>
<br>
=C2=A0Why not do something good every day and install BOINC.<br>
________________________________________________________<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
--<br>
You received this message because you are subscribed to the Google Groups &=
quot;Android Security Discussions" group.<br>
To post to this group, send email to <a href=3D"mailto:android-security-dis=
cuss@googlegroups.com">android-security-discuss@googlegroups.com</a>.<br>
To unsubscribe from this group, send email to <a href=3D"mailto:android-sec=
urity-discuss%2Bunsubscribe@googlegroups.com">android-security-discuss+unsu=
bscribe@googlegroups.com</a>.<br>
For more options, visit this group at <a href=3D"http://groups.google.com/g=
roup/android-security-discuss?hl=3Den" target=3D"_blank">http://groups.goog=
le.com/group/android-security-discuss?hl=3Den</a>.<br>
<br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
<div>Nick Kralevich | Android Security | <a href=3D"mailto:n...@google.com" =
target=3D"_blank">n...@google.com</a> | 650.214.4037</div><br>
--14dae934085d51724004c5346bfb--
Message from discussion Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |