Hello Art, the commented code is only for keyboard entropy collector. I agree that is not very pretty left there unattended, but should not compromise the security either. :)
Giulio Cesare On Sat, Feb 18, 2012 at 8:59 PM, Arturo Filastò <[email protected]> wrote: > > On Feb 18, 2012, at 9:35 PM, [email protected] wrote: > >> >> Anyway, in a JavaScript environment, more than the actual AES >> implementation, the actual PRNG used is what may create a real >> difference on the overall security of the processed data. >> > > Agreed, that's also why I was suggesting that you use parts of SJCL they > have done quite a good study on how to implement a proper PRNG and > ways to collect entropy. > > I saw some funny stuff (but I must say I didn't audit it properly and what I > say should be taken with a grain of salt) in the entropy collection code. > > Such as entropy collection code that is commented out: > https://github.com/clipperz/javascript-crypto-library/blob/master/js/Clipperz/Crypto/PRNG.js#L361 > > > - Art. > > > _______________________________________________ > > http://openpgpjs.org _______________________________________________ http://openpgpjs.org
