[onerng talk] Another RNG failure ...

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Mar 19 05:58:39 GMT 2015


Jim Cheetham <jim at gonzul.net> writes:

>https://nakedsecurity.sophos.com/2015/03/18/double-freak-a-cryptographic-bug-that-was-found-because-of-the-freak-bug/

That one (and several similar stories over the years) wasn't an RNG failure,
it was because they flash in a single firmware image with a pre-generated key
and cert.  You could have had the best RNG in the world hooked up to the
hardware and it wouldn't have made any difference.

(This is fairly standard practice in embedded devices, you can't do per-device
customisation at manufacture time, and once it's shipped vendors generally
don't want to touch things like this).

Peter.


More information about the Discuss mailing list