On Mon, Jun 26, 2017 at 09:39:47PM -0700, John Denker via openssl-dev wrote: > > I'm not mentioning any names, but some people are *unduly* > worried about recovery following compromise of the PRNG > internal state, so they constantly re-seed the PRNG, to > the point where it becomes a denial-of-service attack > against the upstream source of randomness. > > This is also mostly pointless, because any attack that > compromises the PRNG state will likely compromise so many > other things that recovery will be very difficult. All > future outputs will be suspect. > > So please let's not go overboard in that direction. > > On the other hand, it seems reasonable to insist on /forward/ > secrecy. That is, we should insist that /previous/ outputs > should not be compromised. This is achievable at small but > not-quite-zero cost.
I think that's named backward secrecy? Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
