Schneier on Security
A blog covering security and security technology.
« Lavabit E-Mail Service Shut Down |
| Security at Sports Stadiums »
August 9, 2013
Friday Squid Blog: Rickshaw Cart Woodblock Print
With a squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on August 9, 2013 at 4:16 PM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Dunno if you're aware, but the print is a Super Mario Bros. reference. ;)
I propose to you the trends just recently coming to light to the public are actually largely the result of a silent coup of the three branches of government, in particular the executive. Thoughts?
If the NSA, FBI and IRS are doing nothing wrong, they have nothing to hide.
Can we trust them to be honest in "transparency" or will they be building a potemkin village for us to look at while the inner circles laugh behind our backs?
I’m the creator of “The Book of Woo” linked above. The first encryption layer, a special polyalphabetic cipher, has been broken. But now the handful of serious code-breakers among our readers seems stuck a little. If you’re interested in breaking the code, be sure to read the comment section below the comic page. There’s a lot of interesting information in it.
Color me cynical but I didn't believe a word Obama says.
NSA: We don't want to spy on ordinary people
Citizens: Who are ordinary people?
NSA: The one's we're not spying on.
CNN reports the NSA has revealed it intercepts 1.6% of the world's Internet traffic. NSA analysts review .00004%, but this second number doesn't matter: NSA computers review all of the 1.6%. That's massive.
It seems the POTUS is now talking of 'jiggering' the balance between intelligence collection and liberty.
I'd guess they've found a way to restate the law to seem more liberty oriented yet leaving their power intact, if not enhancing it.
Time to dust off phantom?
A series of posts to this blog enumerate a deliberate strategy to transform the federal government from within. I have enumerated the statutes, directives, laws, and policies that form a logical chain in a "how to overthrow a democratic republic without giving yourself away."
I assume the basis for this strategy, it is well thought out and complete--the scary part is the resemblance to Weimar Germany in the 1930's. Authority has slowly moved from local constituencies to a "federalized" national security services complex. Fusion centers, FirstNET, classification by municipal authorities. Transformation of the meaning and boundaries of posse commatatus. One of the posts includes a reading list. There is also the corporate cabal that is behind this bull...their aim is perpetual war and the exercise of authority through overt force.
Where is the outrage on this subject, we have a defacto police state. How does the DEA get access to "terrorist" investigations. Well if anyone has done their homework they would understand that the courts have held (believe it was the 4th circuit) that data collected under the patriot act could be used for criminal investigations. I believe the ruling was right after the FAA changes to the act in 2008. Additionally the DoD believes it has the authority, by reinterpreting the constitution, that the posse commatatus act allows for the use of the military to participate in civil law enforcement. In some cases this is already happening by way of material support but new policies go beyond this limitation--if it can be called that. I suggest for anyone interested to visit publicintelligence.net for related material. Also look at the joint policy directives. It's insanity dressed in a tank and a drone.
Out of curiosity to the precedents for the Manning and Snowden situations I read The American Black Chamber by H. O. Yardley. There are two big differences between Yardley and our two present day "leakers." First, Yardley wasn't convicted because the laws against what he did weren't YET written. Second, he got paid.
If only the FBI had been more effective in its own perfectly legal campaigns against agitators in the 1960s we wouldn't be in this position today
Or at least we would have a president with a slightly different skin color doing the same things
@ Carpe and name.withheld
Re coup against US democracy? already done...
It's already happened, though. The bankers did the coup with the Federal Reserve Act. The President's bio around the same year said he had unwittingly ruined his country by placing control of it in hands of few men via the system of credit. Other big time politicos have been quoted saying the bankers run the country. Much legislation from both parties benefit the larger agenda of internationalists, esp. that related to globalization. American people tend to loose tons of money with these initiatives while certain companies and families make a ton of it. Probably not an accident.
And, finally, the banking crisis let us put my theory to the test (and see it pass): they got $1 trillion payout, nobody could ask what they spent it on, and criminal immunity was provisioned. There's been plenty of millionaires, powermongers, Presidents and such that failed where those bankers succeeded. If that isn't running the country, I don't know what is. ;)
So, if they've owned the country, that would just make IRS their collection arm and the MI complex a security program for their investment. (Their lives too.) That would also explain why politicians the bankers campaign with keep going into wars that puts the country in debt deficits to the same bankers. Deficits are great for them: they create money out of thin air, loan it to govt, and make 6-7% interest on the dead soldiers, err, the "freedom fighting." They win during a surplus too with Fed's fractional reserve banking and owning banks use of it for their own investments. They've had trouble recently with schemes backfiring but no system of corrupt control is perfect, eh? And they're still incredibly rich and powerful.
So, a for-profit, privately owned (by bankers) Corporation owns, issues and manages our money supply. I'd say it indicates a very subtle/clever form of fascism. Their scheme allows plenty of democracy and free market so the people don't feel enslaved. It just implements fascist controls where it counts the most to preserve their power and riches. People who challenge criminal activity at DOD, IRS or the Fed will learn what I mean. A surveillance state and the erosion of civil liberties is the logical next step of such a fake democracy to further tighten the noose around troublemakers' necks.
In the past, we said that the IRS and Drug War heavy handed tactics were just precursors to what they'd be doing domestically for regular LE activities. This proved true: LEO's have gradually moved in that direction to the point that one woman was SWATed by Dept of Education (they have a SWAT?!) over student loans. So, my extrapolation in 2002 was that they'd combine the intelligence and operational capabilities of military with domestic law enforcement while further eroding civil rights. This has been the case albeit with slow progress. I still stand by that being their current long-term goal.
So, contrary to popular belief, there isn't a coup in progress or anything. They've owned the country since around 1917. Anything suggesting otherwise was smoke and mirrors. (Well, considering ownership of main media companies that fight for right to lie in court... no surprises I guess.) The banking mini coup in 2008 proved their control over Congress: American people voted bailout down, it failed in Congress, and rep's taking money from bankers snuck it through a second time when most weren't looking. Maybe lawmakers should listen next time elites speak openly about their strategies:
"Let me issue and control a nation's money and I care not who writes the laws." -Mayer Amschel Rothschild
Oh yeah, my theory was confirmed again when Citi was caught red handed admitting it in some memos to 1% clients. The leaked memos that flat stated US was a "plutonomy" and described how the 99%'s vote was the greatest threat to the wealthy. They worked hard to get those memos off the Internet. Here's a sample of them. ;)
I don't think I've ever seen that put quite so well yet. Yes, I am aware of all of these things, (You'll notice I didn't say when it happened.) we need to get down to the core of the matter and just start deciding what can and should be done it.
Have we already crossed the abyss? If it isn't stopped, anyone who opposes it in any way will quickly be targeted and done away with.
Honestly I'm still just trying to decide which tactics to endorse towards our military and LEO's. Subversion, overt force, power (information) reversal, etc.
“Appear weak when you are strong, and strong when you are weak.”
"To subjugate the enemy's army without doing battle is the highest of excellence."
Therefore, the best warfare strategy is to attack the enemy's plans, next is to attack alliances, next is to attack the army, and the worst is to attack a walled city.
(interested in further discussion? torchat 7pnijfkdzxh4y6ne)
Apparently full body cavity searches are now the norm during routine traffic stops. This is somewhat widespread, and has now been documented multiple times over a wide geographical via dash-cams.
The pattern in each documented case is eerily similar. Officer claims said citizen was stopped due to throwing a cigarette butt out the window. Citizen claims she doesn't smoke. Body cavity search was performed. Ticket was not issued.
Reports are police are not switching gloves between searches of anus and vagina, and that they are using the same glove to search multiple people.
Health concerns are terrifying. Not just the bacteriological infections that result from sticking excrement (poop) deep into the vagina or the physical tearing damage of being so brutally assaulted in such a tender area without proper lubricants, but also transmission of STDs, including AIDs, along other blood-born illnesses such as Hepatitis.
--Can vouch for the strong armed tactics if you criticize or suggest elimination of large swaths of the gov't. This is real and it happens on a daily basis, and most people are too afraid to speak up about it; even if you get identified. The tactics go beyond mere physical intimidation and go into every contact in your life and making sure you get humiliated.
The banking bailout I think is very visible proof that this country is a fascist state.
"U.S. NSA to cut system administrators by 90 pct to limit data access"
'Before the change, "what we've done is we've put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing," Alexander said.'
Yes we can cut costs and boost productivity! Spoken like a true bureaucrat...
Yeah, your networks will /probably/ be more secure without any pesky humans snooping around (or monitoring said 'secure' systems.) Good luck with that :-P
Apparently the remaining 10% of NSA administrators will be tasked with assisting ol' Keithy in bypassing the agency's infernal porn filters, removing malware from his desktop after visiting such unscrupulous sites, and reporring on the 24/7 surveillance of his daughters' boyfriends.
In the same stream of consciousness, Mr. Alexander actually says, "At the end of the day it's about people and trust," (apparently attempting to defend his agency's conduct.)
What people or trust would you be referring to? The people you are letting go because you can't trust them? The people who should trust you to keep them safe despite the fact you can't trust said people who perform this service? Perhaps he's simply referring to the complete lack of people and trust... Call me confused!
My advice to (soon to be former) NSA employees: it would probably be wise to secure asylum before airing any workplace grievances...
Google searches for the following are quite interesting!
" prism nsa site:indiegogo.com " and
" prism nsa site:kickstarter.com "
Snake oil or NSA backed projects?
This CNN story shows the powers that be sure are spooked:
All in-bound cargo on commercial flights from Europe, the Middle East and Africa — and quite possibly other areas of the world — is being screened twice, as a result of the recent terror threats that have closed U.S. embassies and consulates in the Middle East and Africa, according to a cargo industry official.
The Department of Homeland Security late last week ordered airlines to increase the inspection of cargo at the last point of departure for the United States, said Brandon Fried, the executive director of Airforwarders Association, a trade group.
“They said, ‘until further notice, this is what you’re going to do,’” Fried said.
“Nothing unscreened gets on the plane,” Fried said. “Basically they said, ‘If you used one method, or several methods (of inspecting cargo), you need to do it again.’ It’s redundant, dual screening.”
Richard Fernandez wonders aloud if it's security theater. It certainly raises the stress level.
Russian man doesn't like bank credit card terms, so he rewrites them and sends them back. The bank doesn't read the contract, and ends up issuing him the card.
When the bank closes the account, the courts rule in his favor.
I propose the creation of a character 'Gen Keith Klapper' in the production ' Dr. Schneier or: How I Learned to Stop Worrying and Love the Database'
Very well put.
I wonder if these plutocracies have solved the same problems that beset and doomed plutocracies in ancient Rome. Perhaps these problems can be ... er ... induced? Or encouraged?
Don't know if this is a 'Wag the Dog' moment...
Bruce, or Moderator:
I’m not sure if Bruce, or you guys here caught this, but Obama himself came out and stated that the chances of of “dying in a terrorist attack […] are still a lot lower than in a car accident”. He was interviewed on the Tonight Show with Jay Leno, you can see the relevant segment on this YouTube clip, it comes at about 4:45.
He made the comments while talking about the recent global travel warning in the context of the US embassy closures. Here’s the relevant part of the interview (the rest of which is also quite interesting). This section starts at around 3:57:
Leno: What do you say to those cynics who go “Oh, this is an overreaction to Benghazi and …” How do you respond to that?
Obama: One thing I’ve tried to do as President is not overreact, but make sure that, as much as possible the American people understand that there are genuine risks out there. What’s great about what we’ve seen with America over the last several years is how resilient we are. So after the Boston bombing, for example, you know the next day, folks were out there, they’re going to ball games, they are, you know, making sure that we’re not reacting in a way that somehow shuts us down. And that’s the right reaction, terrorists depend on the idea that we’re gonna be terrorized and we – we’re gonna live our lives – and the odds of people dying in a terrorist attack, obviously, are still a lot lower than in a car accident, unfortunately, but there are things that we can do, to make sure that we are keeping the pressure on these networks that would try to injure Americans[…]
Of course, it would be prudent to ask why so many more resources are spent on preventing terrorist attacks vs. car accidents.
Flaw in Android's secure random number generator results in compromise of Bitcoin private keys and theft of funds:
The flaw is that random numbers are occasionally repeated, leading to ECDSA signatures being generated using the same k-value, allowing the private key to be calculated from the signatures. It is important to note that this is not a flaw in Bitcoin itself or ECDSA, but rather the use of a flawed RNG in an application that absolutely requires secure random numbers.
Developers of Android Bitcoin apps are currently working on fixing the issue, though it is not limited to Bitcoin and has implications for any cryptographic software running on the Android platform.
Hackaday has a nice bit-banging project for any up and coming engineers (the older ones probably don't want to relive the nightmares). Pretty neat, check it out and watch the full video if you like this stuff and maybe some can see some comms applications w/ this...OTP's in binary, that'll be fun to decipher. No microcontroller needed.
Where Barrak 'the control freak' Obama says,
I've tried to do as President is not overreact
The first thought is 'cough cough' horse apples 'cough cough'.
The second is overreact compared to whom? A hermit existing in a cave in the rockies, or a nervous old curtain twitching granny, who phones the police every time some one wearing sneakers passes her home... In otherwords it's at best an unquatified statment that is thus worthless, at worst it's a cynical manipulation of the use of language to lie to the listener .
And what about the use of "unfortunatly" after indicating terrorism kills less than road accidents. If read as reported that indicates a wish on BO's behalf to have terrorist related death numbers to become a more significant fraction of the number killed by road accident...
 For those who don't see why look up "a lie by ommission".
I like "Hackaday" it often reminds me of the old days such as bringing up my first "wire wrapped"  6502 hand built computer which just had 256Bytes of RAM and a couple of transparent latches to do I/O with switches and LEDs, so parrellel not serial "bit banging" .
Oh something Hackaday featured was a from "Gates to Tetris" learning site,
Which is well worth a look in if you hanker to get to know how to build your own CPU and storage using HDL tools and also how to develop your own micro code, assembler and compiler before finally writing the game :-)
On a more serious "security" note it will show people the how and why of "below App" "below OS" and "below CPU" activities that will help them think their way through attack vectors at these levels.
 In these days of Surface Mount FPGAs few have seen Wire-wrapping or even know what it is, let alone the tools such as a "Wrap-Gun" (that has nothing to do with the cacophony of some modern music). Back when I was a young hacker of the old school it was the best way to go with no "hot-work" involved. Essentialy all components were mounted on posts or sockets that had hardened square posts that went through "perf-board". The connecting or "hookup" wire had a soft insulation coat and you would strip it back about a half inch and slide it into the "wrap-tool" which you would then slide over the square posts, by turning this the wire would wrap around the post starting with the still insulated part to give "strain relief" and ending with the bare wire that was actually cut into by the edges of the square post making a "gas tight connection" of considerably higher reliability than 40/60 solder joints. The largest board I wired up this way was an experimental "64bit bit-slice processor board" on tripple Euro-board (half as wide again as a VME board and about 9U high).
 Again for those of "young and tender years" who might be reading this "bit-banking" is a term that goes back to the earliest days of "data comms" and refered to the idea of using switches and buttons to manually enter data into a system. If you see pictures of computers from the 1970's you will see a row of sixteen or so switches and three or four buttons, these were used in combintion to set the start point of the CPU micro-code or Interpreter to load a paper or magnetic tape etc in a process called "boot-strapping". On "home brew" systems often these switches and buttons were the way you loaded in entire programes to get a system up and working. For the more affluent it was to a point where the ROM chip might load from a tape recorder using "Phillips audio cassetts" with data stored at 300baud, using the likes of a couple of NE566/7 phase locked loop tone decoders.
The flaw is that random numbers are occasionally repeated
That is not a flaw in the RNG but the way it is used, which is why it's going to be a bit difficult if not impossible to fix fully .
The problem is there is a considerable difference between a "random number" and a "random nonce". TRNG is of the former and some but not all CS-RNGs are of the latter.
If you think about it the definition of a random number from a TRNG is, a nondetermanisticaly selected member from a set of numbers which contains every number possible number producable within the number length constraints of the generator output.
This definition most definatly does not preclude the possability of numbers being repeated at any time in part or whole.
The definition of a "nonce" is loosly a number used once, and does not involve the definition of a TRNG .
Now there are other definitions for RNGs one of which is for PRNGs which changes the definition such that "nondetermanistic" is changed to "determanistic". However as this also covers a simple counter convention implies some further unstated constraints on the determanistic proces so "it looks random" within some acceptable definition appropriate to the task it is to be used for. Which is why Linear Feedback Shift Register Psudo Random Number/Bit Generators (LSFR-PRNG) are quite acceptable for games and simple simulations but most definatly not for other activities such as crypto work.
Now the definition of a cryptographicaly secure PRNG often used does not precluded repeated numbers in part or whole for good and proper reasons. One of which is that if it did the generator would eventually have to stop, but more importantly long before that the numbers it produces would become "known" to an attacker in a stedily reducing set. Which is why when CS-PRNGs that use a counter through a crypto function, at some point prior to reaching half the counter value the crypto key is changed. However whilst this does not give the full number set under any key it most definatly does not stop numbers being repeated under the new key. Thus if the key is changed to frequently then number re-use is going to happen in a shorter time frame. There is also the issue of ensuring the key is actually a "nonce" in it's own right not just for a single user but all users otherwise you get "key re-use" issues akin to using an OTP two or more times.
Now designing an RNG that forfills the "nonce" requirment is difficult at best and impossible in some cases. In essence a single RNG would have to find some way to determin if a number has been generated by it before or not as a minimum, ranging upto by any RNG in use.
Obviously for a counter and quite a few PRNGs the minimum requirment is not difficult because of the way it works. But for a TRNG this would mean having to store every single number ever generated by it and cross refrencing every new number against the stored list. This is impracticle for even a few numbers and would also increase the delay in generating a new number proportional to the number of previously generated numbers and number set size.
Oh and all nonce-RNGs would eventualy fail/stop and the simple idea of increasing the size of the generator output will not work, because the real constraint is not the generator output size but the size of the nonce. That is a nonce that is only 2^8 in size could only be used 256 times...
However when it comes to real not theoretical systems there is another issue which is a very real "elephant in the room". How do you ensure that two instances of the same product don't produce identical outputs from their individual RNGs?
Well unfortunatly all the ways sofar sugested mean that there has to be some kind of central system which issues PRNG seeds that are unique to each product instance. As we know from the RSA two-factor hardware fobs, such a central system becomes a single point of significant security vulnerability and thus a highly desirable target for attack.
Further there are issues with theoretical and real nonces. Whilst a nonce brings some desirable attributes to the security party, an algorithm designer has to be very carefull in their use otherwise the algorithm whilst being "secure theoreticaly" will be either "unusable practicaly" or "insecure practicaly". Put simply if the nonce has to be a "nonce to the algorithm" and not a "nonce to the user of the algorithm" than it is of no use as a general use system.
Thus if you are not a cryptographer by both training and experiance nonces are a significant "tripping hazard" and it would be best to avoid if possible algorithms that use them. Even if you are a cryptographer of long standing, again don't let nonces "gate crash the party" no matter how desirable they look because "re-use" is an issue that will always crop up in real-world implementations.
The likes of the NSA and GCHQ et al know this (see project VENONA and OTP re-use), for their systems they would treat "nonces" as Key Material (KeyMat) used within the constraints of a central Key Managment (KeyMan) system. Whilst this may be "practical" for them it is most definatly impracticle for the rest of us.
Thus NIST or any other "Standards Bodies" that produce standard algorithms with "nonces" in should "know better". Esspecialy where the security rests in the main or totaly on the nonce, because new attacks arise all the time and the idea of a nonce is fragile at best. Robust algorithms spread their security across many (hopefully) orthagonal well understood parts where the failure of any one part only marginaly reduces the algorithm security margin.
 "nonces" are not "padding" and they should not be used interchangably. Padding often has different constraints on it and "no re-use" is not generaly one of them, but often the avoidence of "all zeros" or "all ones" numbers in part or whole frequently are, which usually does not apply to a nonce...
 One major issue that reoccurs frequently in crypto system implementation is that published papers have an implicit meaning of "random", "nonce", "padding" and many other words. Such that a sufficiently knowledgable reader would "implicitly understand" which the rest of the mear-mortals don't. Thus the algorithms in such papers will often be implemented in real world systems incorrectly.
Quick story about Australian Customs confiscating the mobile phone of a Rugby player as he returned from a game in New Zealand at the request of a sports antidoping agency.
Also the held him for questioning but that seems less important.
Re centrally generated nonces and the RSA break-in.
Isn't that a very different scenario as compared to where you want each product to generate different number streams.
In the RSA token case you must have that central server else you can't authenticate the user...
I don't know much about CPRNGs, and neither do Bitcoin app developers, which is why they (wisely) left the implementation up to standard cryptographic libraries. In this case, the culprit appears to be Android's implementation of java.security.SecureRandom, which according to the Android documentation "generates cryptographically secure pseudo-random numbers" and by default is seeded "using an internal entropy source, such as /dev/urandom. This seed is unpredictable and appropriate for secure use."
For ECDSA as used by Bitcoin, the keyspace is very large (256 bits) and only a handful of random numbers are needed per session (and only a few hundred handfuls over the lifetime of the app; certainly nobody's producing zillions of signatures per keypair), and if a CPRNG is producing multiple collisions under those circumstances, there's clearly something dreadfully wrong (one collision might be attributed to astronomical coincidence, but two or more per universe-lifetime looks mighty suspicious). Either the algorithm is completely broken, it's not being seeded, or the seed is not random.
I wonder if the people who work for the government are sinister or just incompetent.
Maybe there is no conspiracy. Maybe no one is in charge.
I think you are thinking of the "authentication server" at the RSA customers site.
I was talking about the database held by RSA which contained the seeds etc for all the key fobs they had ever sold and from the security asspect should never have been kept.
Whilst there was a financial savings "technical support" argument the level of protection RSA used to protect the DB was so grossely insufficient you could conclude it had been done on the cheep. Which bearing in mind that many of their sales had been to Defence Contractors working on secret projects and high net worth entities for bank account etc security, it was probably in the end a very expensive "cost saving".
Which is a reasonable reason to keep the likes of "bean counters" out of final security decisions...
--Nice, thanks for link. Yeah all good stuff, never heard of it til my dad said he did it way back when. That's my goal, instead of feeling overwhelmed not knowing almost everything on modern pc's thus attacks can come from everywhere, I want control over all aspects and I definitely want way less memory (and not a lot of random access type either) and functionality for my machine I really care about. Then skriddy b*tches getting on my nerves can have fun trying to attack something they don't understand and side channels/unknown attacks will become my primary concern; as well as maybe my own cryptosystem.
--If I were to make a game, my first would probably be "Snake". Then maybe "Asteroid". Then maybe something like Megaman X on SNES :) Not creative, but hey don't break something not broken.
Sorry, you're right!
Firstly seeing that Bitcoin apparently has real value, I think the developers of the apps used for it realy should have experiance of properly using and testing any crypto code they develop. The same is true for graphics libraries, maths libraries or any other library which could have attack vectors in it.
At the end of the day few usefull libraries are "boil in the bag" solutions and should not be used as such especialy in an application where security should be very near the top of the design requirments list. And as has been said of the law "ignorance is no defence".
After all crypto libraries have a long and inglorious history of bugs, side channels and other security vulnerabilities thus there are many "Buyer Beware" signs along the road alongside those that say "You Get What You Pay For", and thus sometimes "you pay dearly for doing it on the cheap".
Currently I've not seen sufficient information to say where the fault is, and arguably the testing process was deficient.
An argument could be made that if the uniqueness of the nonce was so important to the security of the app, then the app should have been checking them, prior to using them.
When you say either... you neglect to allow for the fact that the generator is functioning to specification and it's either the input to it (phone developers at fault) or it's output is being incorrectly accessed/used.
After all I doubt that the BitCoin app is unique in needing this generator, so why have other apps not seen the issue?
Untill we have further details I'm not going to make any bet on the cause, I've seen so many in the past that it would be silly to do so. However the number of past mistakes makes highlighting all the possible areas to check more onerous than would be appropriate for this blog.
However one thing I will say getting 2 x 256bits of real entropy takes considerable time and is thus a very valuable commodity and should be saved carefully to protect the investment between system resets, reboots and brown outs. As I've pointed out in the past it is very difficult to tell between real entropy and faux entropy even when you have direct access to the base physical input (search this blog for my name and the expression "healing hands of jeasus").
If what you and others have implied is correct then I would look at the base physical input and the what/how of the entropy is extracted and saved as it definatly follows the GIGO principle.
In a final stage of transitioning to Absurdistan the country formerly known as the USA, POTUS has seen fit to appoint DNI James Clapper as the person who will be leading "the Director of National Intelligence Review Group on Intelligence and Communications Technologies" as to examine the USA's global signals-intelligence collection and surveillance capability: http://www.emptywheel.net/2013/08/12/... .
I think a need a drink.
An argument could be made that if the uniqueness of the nonce was so important to the security of the app, then the app should have been checking them, prior to using them.
Perhaps, but uniqueness of the private keys themselves is even more important, and there's absolutely no way of checking that; instead the large keyspace and the laws of probability are the only defence you have against collisions. It is telling that there haven't been any reported private key collisions (except for keys produced by feeding a short password to a KDF, or worse, an ordinary hash function); that fact seems to suggest that the RNG seed is at least unique per device.
In this case, the culprit appears to be Android's implementation of java.security.SecureRandom
This is where I stopped reading. Java & security = fail.
Caught this off Weld Pond's twitter feed: MIT and the National University of Ireland, the uniformity assumption underlying cryptographic security is flawed. PDF to full paper within the article.
Shannon entropy is based on the average probability that a given string of bits will occur in a particular type of digital file. In a general-purpose communications system, that’s the right type of entropy to use, because the characteristics of the data traffic will quickly converge to the statistical averages. Although Shannon’s seminal 1948 paper dealt with cryptography, it was primarily concerned with communication, and it used the same measure of entropy in both discussions.
But in cryptography, the real concern isn’t with the average case but with the worst case. A codebreaker needs only one reliable correlation between the encrypted and unencrypted versions of a file in order to begin to deduce further correlations. In the years since Shannon’s paper, information theorists have developed other notions of entropy, some of which give greater weight to improbable outcomes. Those, it turns out, offer a more accurate picture of the problem of codebreaking.
When Médard, Duffy and their students used these alternate measures of entropy, they found that slight deviations from perfect uniformity in source files, which seemed trivial in the light of Shannon entropy, suddenly loomed much larger. The upshot is that a computer turned loose to simply guess correlations between the encrypted and unencrypted versions of a file would make headway much faster than previously expected.
In the vein of Clive's "examine the things uder the OS, under the app", one of the researchers makes the point that assumptions underlying cryptographic principles need to be examined as well. His conclusion is that this development doesn't render cryptographic systems insecure, but probably less secure than previously thought.
@ Tom S.,
I now have something "nice" to read whilst having my tea-n-bun this afternoon :-) Rather than the near endless supply of turgid reports and dull (and incompleate) data sheets...
I have a yearning to get back in the lab as a grunt who can just do the fun things not the BS (not what yuo think ;-) managment stuff.
Bradley Manning's statement to the military judge shows they broke him:
" How on earth could I, a junior analyst, possibly believe I could change the world for the better over the decisions of those with the proper authority?'"
Researchers develop acoustic data transfer for phones using soeaker and microphone. 21st century analog modem? Haha.
@ Foxpup, AC2, Dirk Praet,
A further to the Bit coin issue.
It would appear that the Bitcoin coders --as have other app coders-- used a "Boil-in-the-Bag" method of using the PRNG and failed to randomly initialise it from the OS TRNG.
This is one of the oldest known mistakes to make with any PRNG and is usually very easy to spot during testing.
Now the question arises did / didn't the library document the requirment for seeding the PRNG. Or is the library itself failing to do what the library specification indicated.
Either way it does not excuse the Bitcoin developers from actually performing the appropriate tests. Esspecialy as the same problem was seen on a widely known attack to ECDSA in the PlayStation 3 which gave rise to the master key becoming public knowledge...
Now the question arises did / didn't the library document the requirment for seeding the PRNG. Or is the library itself failing to do what the library specification indicated.
It was the latter. From the Android documentation:
"It is best to invoke SecureRandom using the default constructor. This will provide an instance of the most cryptographically strong provider available ... By default, instances of this class will generate an initial seed using an internal entropy source, such as /dev/urandom. This seed is unpredictable and appropriate for secure use."
The Android Bitcoin app developers (and, according to Symantec, the developers of 360,000 other apps) used SecureRandom in exactly the way the documentation specifically recommended. It turns out the documentation was wrong, and SecureRandom is not actually seeded using /dev/urandom by default.
The bug is said to be "subtle", though details have not been released, which I take to mean that SecureRandom usually manages to produce random numbers that pass all entropy tests despite not being correctly seeded. As you've pointed out, CPRNGs are difficult to get right and difficult to test. I wouldn't be at all surprised to find out that this implementation has been tested a thousand times by a thousand different people and found to be "flawless".
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.