On Mon, May 19, 2008 at 6:30 PM, Thor Lancelot Simon <[EMAIL PROTECTED]> wrote: > On Sun, May 18, 2008 at 10:07:03PM -0400, Theodore Tso wrote: >> On Sun, May 18, 2008 at 05:24:51PM -0400, Thor Lancelot Simon wrote:
>> > So you're comfortable with the adversary knowing, let's say, 511 of >> > the first 512 bits fed through SHA1? >> *Sigh*. >> >> Thor, you clearly have no idea how SHA-1 works. In fact, I'd be >> comfortable with an adversary knowing the first megabyte of data fed >> through SHA1, as long as it was followed up by at least 256 bits which >> the adversary *didn't* know. > Thanks for the gratuitous insult. I'd be perfectly happy with the case > you'd be happy with, too, but you took my one bit and turned it into 256. > > What I _wouldn't_ be happy with is a PRNG which has been fed only known > data, but enough of it at startup that it agrees to provide output to > the user. There are a terrible lot of these around, and pretending that > stack contents are random is a great way to accidentally build them. > > Not feeding in data which you have a pretty darned good idea will be > predictable -- potentially as the first bits in at RNG startup -- is to > my mind one thing one can should do to avoid the problem. No-one pretends that stacks contents are random. The OpenSSL PRNG tries to keep a tally of how much entropy has been added from external sources. I won't generate any output for key generation and such until it is happy about this amount of entropy. Those stack contents are taken into account with an entropy estimate of 0.0, i.e., not at all. Thus, after feeding those 511 known bits to the OpenSSL PRNG [*], it would still expect just as much additional seeding as before. Your failure scenario has nothing to do with the way this PRNG operates. ]*] Actually the PRNG won't take fractions of bytes, so make that 512 bits, or 504. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
