On Thu, 19 Jul 2012 13:13:56 -0700
Nick Kralevich wrote:
> Specifically:
>
> /**
> * Add additional information to the kernel entropy pool. The
> * information isn't necessarily "random", but that's ok. Even
> * sending non-random information to {@code /dev/urandom} is useful
> * because, while it doesn't increase the "quality" of the entropy pool,
> * it mixes more bits into the pool, which gives us a higher degree
> * of uncertainty in the generated randomness. Like nature, writes to
> * the random device can only cause the quality of the entropy in the
> * kernel to stay the same or increase.
> *
Well I'd be skeptical of Java devs especially citing nature which is
analog. Of course nature can be a very good or bad source of randomness.
> * <p>For maximum effect, we try to target information which varies
> * on a per-device basis, and is not easily observable to an
> * attacker.
> */
That seems good. Is the serial number really not easily deduceable or
testable but I see the added uncertainty for testable.
I certainly see your point and the "For What's it's worth" opening line.
One thing it may certainly do is hide weaknesses in androids RNG that
this paper uncovers and prevent damage to Google perhaps. This is not
good in general though especially if Android is not using the kernel
RNG which may get more scrutiny now. I assume it uses both for
different or the same things?
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
