On Fri, May 16, 2008 at 6:47 AM, Thor Lancelot Simon <[EMAIL PROTECTED]> wrote: > On Thu, May 15, 2008 at 11:45:14PM +0200, Bodo Moeller wrote: >> On Thu, May 15, 2008 at 11:41 PM, Erik de Castro Lopo >> <[EMAIL PROTECTED]> wrote: >> > Goetz Babin-Ebell wrote:
>> >> But here the use of this uninitialized data is intentional >> >> and the programmer are very well aware of what they did. >> > The use of unititialized data in this case is stupid because the >> > entropy of this random data is close to zero. >> It may be zero, but it may be more, depending on what happened earlier >> in the program if the same memory locations have been in use before. >> This may very well include data that would be unpredictable to >> adversaries -- i.e., entropy; that's the point here. > Unfortunately, it may also very well include data that would be > highly predictable to adversaries. Sure. That's not a problem, though. What happens to the PRNG then is not too different from what happens when you use it to output bits (except that with RAND_add(), there is no output that might be seen by the adversary, so seeding with known data should actually be safer than generating output if you're worrying about this kind of things at all). The adversary may know something about what is going on, but the internal state still remains secret; and the internal state's entropy won't be adversely affected more than marginally if at all. (Because of the way the internal state is structured, this "stirring" achieved even with a fixed input might even be considered a feature to improve the distribution of whatever entropy you already have.) Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
