On Tue, Dec 21, 2010 at 07:45:09PM +0100, Kurt Knochner wrote:
> The in libc the rc4 state is only initialized once at the first call of
> arc4_stir() and then there are consecutive calls to arc4_addrandom() which
> is the equivalent of rc4_crypt(). So, there is a difference in the
> implementation. May this is just due to different authors.
There's also a different purpose. See below.
>
> First question: Which one is the 'correct' implementation, as proposed in
> Applied Cryptography (hint in libc -> arc4random.c)?
> Second question: Does it matter if the implementation is different than the
> one in Applied Cryptography?
Applied Cryptography only has a sketch. Details have to be filled in.
In summary, the kernel arc4 is reseeded completely with bytes from the
entropy pool periodically, while the libc arc4 is seeded once with
bytes form the kernel arc4 at first use after process startup and then
stirred with a sequence of random bytes obtained from the kernel after
every x bytes produced.
I can maybe guess why it is this way, but I'd like knowledgeable person to
comment on this.
Note that the userland arc4 IS reseeded after an exec and stirred
extra in the child on fork, probably to avoid leaking key state to new
processes.
-Otto
