[guardian-dev] Android SecureRandom bug mitigation

Guy Tavor guy at scoompa.com
Tue Aug 13 00:13:18 EDT 2013 

Will copying SecureRandom from
4.2+<http://androidxref.com/4.3_r2.1/xref/libcore/luni/src/main/java/java/security/SecureRandom.java>to
the source code and using it instead of the stock one work?

Guy
*scoompa*
*
*
*
*
PGP Fingerprint: EA91 0989 4159 1707 406E 1FD5 0791 6FB0 BAD5 C179


On 12 August 2013 22:47, Abel Luck <abel at guardianproject.info> wrote:

> Nathan of Guardian:
> > On 08/12/2013 03:21 PM, Abel Luck wrote:
> >> Does anyone have any bona fide information as to what the flaw/weakness
> >> actually is?
> >
> > I think you misread the key passage perhaps:
> >
>
> Ah you're right :|
>
> I read that as the bug the paragraph described occurred WHEN you self
> seeded.
>
> > "FIRST - When creating a self seeding SecureRandom instance (by calling
> > the constructor without arguments and subsequent setSeed() call), the
> > code fails to adjust the byte offset (a pointer into the state buffer)
> > after inserting a start value. This causes a counter and the beginning
> > of a padding (a 32 bit word) to overwrite parts of the seed instead of
> > appending."
> >
> > This means, when you call SecureRandom() as instructed by Google to do,
> > then the result is a seed that is not appended to, and thus of not a
> > sufficiently strong enough length.
> >
> >> I haven't found anything yet, and the BTC devs don't seem to be
> >> releasing much information.
> >
> > This commit seems to say it all - tap right into /dev/urandom instead of
> > letting Android/Harmony/kernel handle it for you:
> >
> https://code.google.com/p/bitcoin-wallet/source/detail?r=04d2044880d88107ee4a939a516fb4be4cedeaf9
> >
> >> None of the bitcoin apps affected were seeding SecureRandom, so that
> >> wasn't the issue.
> >
> > Right, they were doing what they were "supposed" to do, as are we, in
> > the case of say OTR4J, or whenever we init SSLContexts.
> >
> >>> The armoredbarista link also didn't find any issues that would apply to
> >> SecureRandom used in BC, so that's not it.
> >
> > I think it does. It is in fact, any app that decided to manually seed
> > and pass an argument to the SecureRandom constructor that is safe.
> >
>
> So, a quick fix for pre 4.2 devices is to seed manually with a byte from
> /dev/urandom?
>
> This is crucial for Gibberbot as OTR keys are DSA. We should probably
> force all users to generate and migrate to new keys :|
>
> ~abel
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit:
> https://lists.mayfirst.org/mailman/options/guardian-dev/guy%40scoompa.com
>
> You are subscribed as: guy at scoompa.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20130813/71d149c9/attachment.html>

More information about the Guardian-dev mailing list