Web lists-archives.com

Re: FYI/RFC: early-rng-init-tools




On Thu, 2019-02-28 at 14:52 +0000, Ian Jackson wrote:
[...]
> >       to initialise a stretching RNG (arc4random)
> 
> Why are you feeding this through a separate hashing function rather
> than letting the kernel PRNG's hasher do it ?  I am seriously
> unconvinced that arc4random is a good idea here.

I agree.

[...]
> > • it means you trust a seed file and the arc4random algorithm (to make
> >   a uniform enough stream from the various seeds)
> 
> The question is nothing to do with its uniformity.  The kernel PRNG
> will hash its input.  I think you can feed it whatever.

Yes.

> If the RC4 were critical to the security properties of your scheme,
> then I would be making a much stronger complaint, because RC4 is (of
> course) broken (when used as a supposedly cryptographically secure
> pseudorandom bitstream generator).

The "arc4random" functions really use ChaCha20 today, anyway.

Ben.

> I hope you have found this review helpful.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.


Attachment: signature.asc
Description: This is a digitally signed message part