Kurt Roeckx k...@roeckx.be writes:
- md5_hex($name $alias obfuscate\n), \n;
+ hmac_sha256_hex($name, obfuscate), \n;
part probably needs some further work. Should it be
+ hmac_sha256_hex($name, $alias + obfuscate), \n;
This is for the dummy sheet. It only
On Sun, Mar 31, 2013 at 01:03:52PM +0300, Timo Juhani Lindfors wrote:
Kurt Roeckx k...@roeckx.be writes:
- md5_hex($name $alias obfuscate\n), \n;
+ hmac_sha256_hex($name, obfuscate), \n;
part probably needs some further work. Should it be
+
On Tue, Apr 24, 2012 at 12:56:19PM +0300, Timo Juhani Lindfors wrote:
Hello,
I think I found a bug in devotee (debian vote engine) that breaks the
secrecy elections.
I just pushed a change for this issue to my git repo at:
Kurt Roeckx k...@roeckx.be writes:
I just pushed a change for this issue to my git repo at:
http://anonscm.debian.org/gitweb/?p=users/kroeckx/devotee.git;a=summary
I would be grateful if people can review that.
commit e7f81870d1f8b18e5dcc855e9a001fab95112c0f (Fix generation of
secret key for
On Sat, Mar 30, 2013 at 05:13:23PM +0200, Timo Juhani Lindfors wrote:
Kurt Roeckx k...@roeckx.be writes:
I just pushed a change for this issue to my git repo at:
http://anonscm.debian.org/gitweb/?p=users/kroeckx/devotee.git;a=summary
I would be grateful if people can review that.
On Sat, Mar 30, 2013 at 05:13:23PM +0200, Timo Juhani Lindfors wrote:
+ hmac_sha256_hex($name, $alias + obfuscate), \n;
Are you sure HMAC is immune against extension attacks on the key? You
may want to append it to the name instead.
Bastian
--
It would be illogical to kill without
On Sat, Mar 30, 2013 at 03:41:09PM +0100, Kurt Roeckx wrote:
I just pushed a change for this issue to my git repo at:
http://anonscm.debian.org/gitweb/?p=users/kroeckx/devotee.git;a=summary
I would be grateful if people can review that.
I also still need to do something about the order of
On Thu, 26 Apr 2012, Timo Weingärtner wrote:
2012-04-26, 23:23:54 Timo Juhani wrote:
Raphael Geissert geiss...@debian.org writes:
print hmac_sha1_hex($v, $m);
Yeah that sounds promising. Now we just need to fix the code that tries
to randomize the order of entries in the tally.
Is
Timo Juhani Lindfors timo.lindf...@iki.fi writes:
votes in the final tally. If I knew the hashes sufficiently many (maybe
20?) voters I probably could predict the initial state of the RNG and
reverse this randomization step completely.
It seems that if you know the md5 hashes of only four
Timo Juhani Lindfors wrote:
True. We need to both fix the RNG and use a longer moniker.
M = H(CRYPT_PRNG())
for example:
use Digest::SHA qw(sha1_hex);
open(UR, '', '/dev/urandom') or die($!);
my $rbytes;
die if (sysread(UR, $rbytes, 16) 16);
my $m = sha1_hex($rbytes);
And while at it,
Raphael Geissert geiss...@debian.org writes:
print hmac_sha1_hex($v, $m);
Yeah that sounds promising. Now we just need to fix the code that tries
to randomize the order of entries in the tally.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe.
Hi,
2012-04-26, 23:23:54 Timo Juhani wrote:
Raphael Geissert geiss...@debian.org writes:
print hmac_sha1_hex($v, $m);
Yeah that sounds promising. Now we just need to fix the code that tries
to randomize the order of entries in the tally.
Is that randomization really needed? Why not just
Le 26/04/2012 19:02, Raphael Geissert a écrit :
Timo Juhani Lindfors wrote:
True. We need to both fix the RNG and use a longer moniker.
M = H(CRYPT_PRNG())
for example:
use Digest::SHA qw(sha1_hex);
open(UR, '', '/dev/urandom') or die($!);
my $rbytes;
die if (sysread(UR, $rbytes,
Hello,
I think I found a bug in devotee (debian vote engine) that breaks the
secrecy elections.
Devotee can be used in either public or secret mode. Leadership
elections are done in the secret mode (constitution 5.2.5). In this mode
devotee gives each voter V a secret moniker M and publishes
* Timo Juhani Lindfors timo.lindf...@iki.fi, 2012-04-24, 12:56:
my @chars = (0 .. 9, 'a' .. 'z', 'A' .. 'Z');
$alias .= join (, map {$chars[rand $#chars]} 1..8);
On Debian systems the rand() function of perl uses drand48() from eglibc
which implements a 48-bit LCG RNG.
Note that 8
Jakub Wilk jw...@debian.org writes:
Note that 8 random alphanumeric characters can have at most ~47.6 bits
of entropy. So just improving RNG wouldn't help here.
True. We need to both fix the RNG and use a longer moniker.
Also, I just noticed that rand() is also used to randomize the order of
16 matches
Mail list logo