Random with care
january 2018 by jm
Some tips about RNGs and their usage
(via Tony Finch)
coding
random
math
rngs
prngs
statistics
distributions
(via Tony Finch)
january 2018 by jm
ImperialViolet - Juniper: recording some Twitter conversations
december 2015 by jm
Adam Langley on the Juniper VPN-snooping security hole:
primes
ecc
security
juniper
holes
exploits
dual-ec-drbg
vpn
networking
crypto
prngs
... if it wasn't the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests. Certainly this attack would be a lot easier given the presence of a backdoor-friendly RNG already in place. And I've not even discussed the SSH backdoor. [...]
december 2015 by jm
Chip and Skim: cloning EMV cards with the pre-play attack
september 2012 by jm
Worrying stuff from the LBT team. ATM RNGs are predictable, and can be spoofed by intermediate parties:
atm
banking
security
attack
prngs
spoofing
banks
chip-and-pin
emv
smartcards
'So far we have performed more than 1000 transactions at more than 20 ATMs and a number of POS terminals, and are collating a data set for statistical analysis. We have developed a passive transaction logger which can be integrated into the substrate of a real bank card, which records up to 100 unpredictable numbers in its EEPROM. Our analysis is ongoing but so far we have established non-uniformity of unpredictable numbers in half of the ATMs we have looked at.
First, there is an easier attack than predicting the RNG. Since the unpredictable number is generated by the terminal but the relying party is the issuing bank, any intermediate party – from POS terminal software, to payment switches, or a middleman on the phone line – can intercept and superimpose their own choice of UN. Attacks such as those of Nohl and Roth, and MWR Labs show that POS terminals can be remotely hacked simply by inserting a sabotaged smartcard into the terminal.
september 2012 by jm
Copy this bookmark: