Thanks Keith, It looks like there's a disconnect between the code you are citing and the code on Android:
https://android.googlesource.com/platform/libcore/+/master/luni/src/main/java/java/security/SecureRandom.java https://android.googlesource.com/platform/libcore/+/master/luni/src/main/java/java/security/SecureRandomSpi.java For example, I could not find the call to Sun's stuff in Android's code (from the blog): this.secureRandomSpi = new sun.security.provider.SecureRandom(); >From the Android code, it looks like SecureRandom's default constructor never calls setSeed(byte[]). I believe its supposed to make the call internally on the default constructor. For completeness, I believe SecureRandom(long) forgoes the internal call to setSeed(byte[]), which creates a repeatable sequence. This is documented behavior (the last time I checked), but its very undesirable under most circumstances. I thought the Bitcoin folks were doing this, but it appears the Android code is doing this internally. Additionally, SecureRandomSpi never calls setSeed either. There's also a engineGenerateSeed in SecureRandomSpi, but its abstract. I don't see where SecureRandom really uses it (like in a default constructor). I'm not clear on the interactions between SecureRandom and SecureRandomSpi. In both cases, neither SecureRandom and SecureRandomSpi bother fetching from /dev/{u}random. Finally, there's an ENGINE, but I can't find the source code. I suspect the ENGINE should be doing the /dev/{u}random lifting and seeding. But I don't know how its fits into the design with SecureRandom and SecureRandomSpi. On Mon, Aug 19, 2013 at 2:24 PM, Keith Makan <k3170ma...@gmail.com> wrote: > Hi Jeff, > > I've read some of the source code related to the issue, here are my results: > http://blog.k3170makan.com/2013/08/details-on-android-jca-prng-flaws.html > > On Monday, August 12, 2013 8:24:02 PM UTC+2, Jeffrey Walton wrote: >> >> Interesting reading here.... >> >> Does anyone know precisely what the flaw is/was (why was the PRNG >> returning the same values)? Did the developers of the wallet provide >> the same seed each time? Or did the PRNG fail? >> >> >> http://nakedsecurity.sophos.com/2013/08/12/android-random-number-flaw-implicated-in-bitcoin-thefts/ >> >> Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
