On Tue, May 20, 2008 at 10:43:27PM -0700, dean gaudet wrote:
> the so-called "uninitialized" data is actually from the stack right? an
> attacker generally controls that (i.e. earlier use of the stack probably
> includes char buf[] which is controllable). i don't know what ordering
> the entropy is added to the PRNG, but if all the useful entropy goes in
> first then an attacker might get to control the last 1KiB passed through
> the SHA1.
>
> yes it's unlikely given what we know today that an attacker could
> manipulate the state down to a sufficiently small number of outputs, but i
> really don't see the point of letting an attacker have that sort of
> control.
If this is true, then all digital signatures, certificates, that use
SHA-1 would have to be discarded. The PRNG will be the least of your
problems. Consider that if I were to digitally sign this reply, I am
including in this message text I didn't write (namely, the text which
you are replying). Or an attacker which gets to "control" network
packets which are sent out via integrity-protected IPSEC connections.
Crypto checksums have to be able to deal with this sort of thing, and
no, they're not affected.
Controlling the last megabyte of data passed through SHA1 wouldn't
matter; if you could, then you could induce hash collisions, and SHA-1
would be totally broken as an crypto checksum.
- Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
