On Tue, Dec 21, 2010 at 07:45:09PM +0100, Kurt Knochner wrote: > The in libc the rc4 state is only initialized once at the first call of > arc4_stir() and then there are consecutive calls to arc4_addrandom() which > is the equivalent of rc4_crypt(). So, there is a difference in the > implementation. May this is just due to different authors.
There's also a different purpose. See below. > > First question: Which one is the 'correct' implementation, as proposed in > Applied Cryptography (hint in libc -> arc4random.c)? > Second question: Does it matter if the implementation is different than the > one in Applied Cryptography? Applied Cryptography only has a sketch. Details have to be filled in. In summary, the kernel arc4 is reseeded completely with bytes from the entropy pool periodically, while the libc arc4 is seeded once with bytes form the kernel arc4 at first use after process startup and then stirred with a sequence of random bytes obtained from the kernel after every x bytes produced. I can maybe guess why it is this way, but I'd like knowledgeable person to comment on this. Note that the userland arc4 IS reseeded after an exec and stirred extra in the child on fork, probably to avoid leaking key state to new processes. -Otto