Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

Kurt Roeckx Sun, 31 Mar 2013 03:20:17 -0700

On Sun, Mar 31, 2013 at 01:03:52PM +0300, Timo Juhani Lindfors wrote:
> Kurt Roeckx <k...@roeckx.be> writes:
> >> -          md5_hex("$name $alias obfuscate\n"), "\n";
> >> +          hmac_sha256_hex($name, "obfuscate"), "\n";
> >> 
> >> part probably needs some further work. Should it be
> >> 
> >> +          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";
> >
> > This is for the dummy sheet.  It only contains dummy data.  I see
> > no reason to use part of the real key to generate the a dummy hmac.
> 
> Then why use hmac at all in the dummy sheet? Why not just print $name
> there?


I'll probably change it to use sha256_hex() instead so that it
looks like the output of the hmac.


Kurt


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130331101954.ga...@roeckx.be

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

Reply via email to