>> Another one problem exists: the very first run of PRNG use only half
>> of that hash that cuts the search space half. That is, even properly
>> seed PRNG(several hundreds of bytes) will output first
>> MD_DIGEST_LENGTH/2 bytes subject to search-it-all attack with search
>> space MD_DIGEST_LENGTH/2 bytes.
>>
>> Solution is simple: output and forget first N*1023 bytes from PRNG.
Please take a look at the 'stirred_pool' variable in crypto/rand/md_rand.c
in OpenSSL snapshots.
> The minimum number of entropy-bits is 128 (=16bytes), which is also retrieved
> from /dev/urandom, if no other seeding was done.
> Compared to a key-size of 128bits (RC4-MD5) or even 168bits (3DES) and
> considering that bytes from the random pool may be used for other items,
> I would recommend to increase the mininum amount of seed to either 32 bytes.
> or even 48bytes with respect to the size of the premaster secret
> (#define SSL3_MASTER_SECRET_SIZE 48).
The minimum amount of seed is currently 20 bytes (snapshot versions),
i.e. the size of one DSA secret.
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
