Abstract
This paper investigates the Randomness of several Java Runtime Libraries by inspecting the integrated Pseudo Random Number Generators. Significant weaknesses in different libraries including Android, are uncovered.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gupta, A., Cozza, R., Nguyen, T.H., Milanesi, C., Shen, S., Vergne, H.J.D.L., Zimmermann, A., Lu, C., Sato, A., Glenn, D.: Market Share: Mobile Devices, Worldwide, 1Q12. Technical report, Garnter, Inc. (May 2012)
Nielsen: Two Thirds of New Mobile Buyers Now Opting For Smartphones. Technical report, The Nielsen Company (June 2012)
Bennett, J.: Android Smartphone Activations Reached 331 Million in Q1 2012 Reveals New Device Tracking Database from Signals and Systems Telecom. Technical report, Signals and Systems Telecom (May 2012)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (August 1986)
Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the Linux Random Number Generator. In: IEEE Symposium on Security and Privacy (2006)
Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the windows random number generator. In: ACM Conference on Computer and Communications Security (2007)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)
Agyros, G., Kiayias, A.: I forgot your password: Randomness attacks against PHP applications. In: Proceedings of the 21st USENIX Security Symposium. USENIX Association (2012)
Kopf, G.: Non-Obvious Bugs by Example (2010), http://gregorkopf.de/slides_berlinsides_2010.pdf
Meyer, C., Somorovsky, J.: Why seeding with System.currentTimeMillis() is not a good idea (January 2012), http://armoredbarista.blogspot.de/2012/01/why-seeding-with-systemcurrenttimemilli.html
Lenstra, A., Hughes, J., Augier, M., Bos, J., Kleinjung, T., Wachter, C.: Public Keys. In: Advances in Cryptology CRYPTO 2012. LNCS. Springer, Heidelberg (2012)
Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Cryptanalytic Attacks on Pseudorandom Number Generators. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 168–188. Springer, Heidelberg (1998)
Brown, R.G., Eddelbuettel, D., Bauer, D.: Dieharder: A Random Number Test Suite. Technical report, Duke University (2012)
Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vo, S., Bassham III, L.E.: A Statistical Test Suite for the Validation of Random Number Generators and Pseudo Random Number Generators for Cryptographic Applications. Technical report, National Institute of Standards and Technology (NIST) (April 2010)
Lee, E.H., Lee, J.H., Park, I.H., Cho, K.R.: Implementation of high-speed SHA-1 architecture. IEICE Electronics Express (2009)
Zoltak, B.: VMPC One-Way Function and Stream Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, Heidelberg (2004)
Google Inc.: javax.crypto — Android Developers (July 2012)
McDonald, C., Hawkes, P., Pieprzyk, J.: Differential Path for SHA-1 with complexity O(2^52). IACR Cryptology ePrint Archive (2009)
Wikipedia: Preimage attack — Wikipedia, The Free Encyclopedia (accessed August 24, 2012)
Handschuh, H., Knudsen, L.R., Robshaw, M.: Analysis of SHA-1 in Encryption Mode. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 70–83. Springer, Heidelberg (2001)
Tsunoo, Y., Saito, T., Kubo, H., Shigeri, M., Suzaki, T., Kawabata, T.: The Most Efficient Distinguishing Attack on VMPC and RC4A (2005)
Maximov, A.: Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers (2007) (corrected)
Li, S., Hu, Y., Zhao, Y., Wang, Y.: Improved cryptanalysis of the vmpc stream cipher. Journal of Computational Information Systems (2012)
Sverdlove, H., Brown, D., Cilley, J., Munro, K.: Orphan Android: Top Vulnerable Smartphones 2011. Technical report, Bit9, Inc. (November 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Michaelis, K., Meyer, C., Schwenk, J. (2013). Randomly Failed! The State of Randomness in Current Java Implementations. In: Dawson, E. (eds) Topics in Cryptology – CT-RSA 2013. CT-RSA 2013. Lecture Notes in Computer Science, vol 7779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36095-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-36095-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36094-7
Online ISBN: 978-3-642-36095-4
eBook Packages: Computer ScienceComputer Science (R0)