On Wed, Jul 18, 2012 at 3:55 PM, Jeffrey Walton <[email protected]> wrote: > More results on weak keys (it looks more comprehensive than results > from the EFF’s SSL Observatory): https://factorable.net/paper.html. > > The authors also do a nice job on the Linux Random Number Generator in > Section 5.1. The Linux PRNG has signficance here because Android uses > it. Devices such as SSDs and NAND Flash provide even less entropy to > the system. I imagine it only gets worse if the radios are switched > off for airplane mode. Sorry to bring up an old thread.
I think Ristenpart and Yilek work on randomness in virtualized environments might be helpful here. "When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography," http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf. I think the idea is pretty simple. Whenever a device talks with a peer, the peer's randomness is used to help improve the local host's randomness. So SSL/TLS and VPN could be used to improve the randomness by feeding the peer's public keys into the local host's software generator. I need the read the paper again, but if IVs are random (vs unique), it might be possible to use a message's IV also. What I'm not clear on: is it possible to use a handset's network authentication to improve the randomness in the system? That is, can we tap the IRL and baseband and use some information provided during authentication? Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
