[onerng talk] Another RNG failure ...
Jim Cheetham
jim at gonzul.net
Thu Mar 19 07:24:27 GMT 2015
I read the article as suggesting that the keys were deterministically
created at initial boot, when the machine state was fully predictable,
which to me sounds like an entropy failure for the RNG.
However I accept that I haven't read the originals.
On 19 Mar 2015 18:58, "Peter Gutmann" <pgut001 at cs.auckland.ac.nz> wrote:
> Jim Cheetham <jim at gonzul.net> writes:
>
> >
> https://nakedsecurity.sophos.com/2015/03/18/double-freak-a-cryptographic-bug-that-was-found-because-of-the-freak-bug/
>
> That one (and several similar stories over the years) wasn't an RNG
> failure,
> it was because they flash in a single firmware image with a pre-generated
> key
> and cert. You could have had the best RNG in the world hooked up to the
> hardware and it wouldn't have made any difference.
>
> (This is fairly standard practice in embedded devices, you can't do
> per-device
> customisation at manufacture time, and once it's shipped vendors generally
> don't want to touch things like this).
>
> Peter.
>
> ――
> View topic http://lists.onerng.info/r/topic/6DJbIX1EhKd021WDBRxyKG
> Leave group mailto:onerng-talk at lists.onerng.info?Subject=Unsubscribe
>
> Start groups https://OnlineGroups.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ourshack.com/pipermail/discuss/attachments/20150319/32c5f024/attachment.html>
More information about the Discuss
mailing list