On Fri, May 16, 2008 at 11:24:45AM -0400, Geoff Thorpe wrote:
> On Friday 16 May 2008 00:47:52 Thor Lancelot Simon wrote:
> > On Thu, May 15, 2008 at 11:45:14PM +0200, Bodo Moeller wrote:
> > > It may be zero, but it may be more, depending on what happened earlier
> > > in the program if the same memory locations have been in use before.
> > > This may very well include data that would be unpredictable to
> > > adversaries -- i.e., entropy; that's the point here.
> >
> > Unfortunately, it may also very well include data that would be
> > highly predictable to adversaries.
> 
> If feeding predictable data into a PRNG that was already well seeded with 
> unpredictable data produced a weaker PRNG, then you have found a security bug 
> in the PRNG and I suggest you publish.

Yeah, I've heard that a few times.  However, consider the pathological case,
in which an adversary manages to introduce N-1 bits of known state into your
PRNG which has N bits of internal state.  Are you comfortable with that?  For
what value M are you comfortable with N - M bits of the state having been
introduced by the adversary?  Why?

It seems to me that best practice is to not introduce such state if one
can avoid it, whether one counts it into an entropy estimate or not.

Thor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to