Re: Beware of /dev/random on Mac OS X

2003-09-02 Thread Michael Shields
In message [EMAIL PROTECTED],
Peter Hendrickson [EMAIL PROTECTED] wrote:
 Apple apparently only accepts bug reports from members of the Apple
 Developers Connection.  If any such members are on this list, it
 might be a good idea to submit a report:
 https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa

Membership in ADC is available in both free and paid versions.  You
can set up an account for the free version at:
http://connect.apple.com/
-- 
Shields.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Beware of /dev/random on Mac OS X

2003-08-29 Thread Tim Dierks
At 05:01 PM 8/28/2003, Peter Hendrickson wrote:
First, the entropy pool in Yarrow is only 160 bits.  From Section 6
Open Questions and Plans for the Future of the Yarrow paper
referenced above:
 Yarrow-160, our current construction, is limited to at most 160 bits
 of security by the size of its entropy accumulation pools.
If the program needs more than 160 bits, it can seed it with more than
that amount of entropy.  (Strictly, it could seed it with 160 bits,
read it, seed it, read it, but this isn't mentioned on the man
page.)
Can anyone who believes that only having 160 bits of entropy available is 
an interesting weakness tell me why? I'm currently of the belief that 
there's far too much entropy paranoia out there. Barring disclosure of the 
entropy pool, I'm not aware of any plausible attack that could occur if I 
(for example) generate a bunch of keys from a single 160-bit entropy seed, 
given that I believe a 160-bit value to be invulnerable to brute force for 
quite a long time. I can't imagine any situation in which the lack of 
reseeding is going to be the weakness in this scenario, but maybe I'm 
insufficiently imaginative.

 - Tim



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]