Predictability of Android OpenSSL's pseudo random number generator

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 659-668

  Kim, Soo Hyeon ^a   Han, Daewan ^a   Lee, Dong Hoon ^b  

^a Electronics and Telecommunications Research Institute (ETRI)   (South Korea)

^b Korea University   (South Korea)

Author keywords

android; entropy; openssl; pseudo random number generator; ssl tls

Indexed keywords

ANDROID; ANDROID APPLICATIONS; ANDROID PLATFORMS; DALVIK VIRTUAL MACHINES; OPEN SSL; POTENTIAL PROBLEMS; PSEUDO RANDOM NUMBER GENERATORS; SSL/TLS;

ENTROPY; RESTORATION; ROBOTS; SECURITY OF DATA;

RANDOM NUMBER GENERATION;

EID: 84889020006     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516706     Document Type: Conference Paper

References (25)

1. Address space layout randomization. http://en.wikipedia.org/wiki/Address- space-layout-randomization.
2. Android debug bridge. http://developer.android.com/tools/.
3. Android Security Overview. http://source.android.com/devices/tech/ security/.
4. Break DES in less than a single day. http://www.sciengines.com/company/ news-a-events/74-des-in-1-day.html.
5. IDC - Press Release. http://www.idc.com/getdoc.jsp?containerId= prUS24257413.
6. OpenSSL. http://www.openssl.org/.
7. RFC 4507: Transport Layer Security (TLS) Session Resumption without Server-Side State.
8. The Debian Project. Openssl-Predictable Random Number Generator, DSA-1571-1. Available from http://www.debian.org/security/2008/dsa-1571.
9. Trace32. http://www.lauterbach.com/.
10. N. J. Alfardan and K. G. Paterson, Plaintext-Recovery Attacks Against Datagram TLS. In Network and Distrubited System Security Symposium (NDSS 2012), 2012.
11. T. Biege. Analysis of a Strong Pseudo Random Number Generator by anatomizing Linux' Random Number Device. Tech. rep., PhoneFactor, Inc., Nov. 2006.
12. D. Brumley and D. Boneh. Remote Timing Attacks Are Practical. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12 (Berkeley, CA, USA, 2003), USENIX Association, 2003.
13. B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Interception in a SSL/TLS Channel. In Proceedings of Advances in Cryptology - CRYPTO 2003, Springer-Verlag, pp. 583-599, 2003.
14. T. Duong and J. Rizzo. Here Come the Xor Ninjas. Tech. rep., May 2011.
15. S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 50-61, 2012.
16. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 38-49, 2012.
17. N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium, pp. 205-220, 2012.
18. V. Klima, O. Pokorny, and T. Rosa. Attacking RSA-Based Sessions in SSL/TLS. In Proceedings of Cryptographic Hardware and Embedded Systems (CHES) 2003, Springer, pp. 426-440, 2003.
19. P. Lacharme. The Linux Pseudorandom Number Generator Revisited. IACR ePrint Arcive 2012/251. Available from http://eprint.iacr.org/2012/251.
20. M. Marlinspike. More Tricks for Defeating SSL in Practice. In Black Hat USA, 2009.
21. C. Meyer and J. Schwenk. Lessons Learned from Previous SSL/TLS Attacks: A Brief Chronology of Attacks and Weakness. IACR ePrint Arcive 2013/049. Available from http://eprint.iacr.org/2013/049.
22. M. Ray and S. Dispensa. Renegotiating TLS. Technical Report, PhoneFactor, Inc., Nov. 2009.
23. T. Ristenpart and S. Yilek. When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2010. Internet Society, 2010.
24. T. Vuillemin, F. Goichon, C. Lauradoux, and G. Salagnac. Entropy Transfers in the Linux Random Number Generator. Research Report 8060, INRIA, Sept. 2012.
25. S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results From the 2008 Debian OpenSSL Vulnerability. In Proceedings of IMC 2009, pp. 15-27, 2009.