Thor Lancelot Simon wrote: > So you're comfortable with the adversary knowing, let's say, 511 of > the first 512 bits fed through SHA1?
I'm comfortable knowing any number of bits fed into or through the SHA1 provided there are also sufficient bits he does not know. The issue of how many bits he does know is a complete and utter red herring. It doesn't matter. All that matters is whether you feed in enough bits he *doesn't* know. > Maybe I haven't been clear enough > here: I specifically object to introducing easy to know information into > the PRNG at startup time, though if one is going to feed it in at other > times because "it can't hurt" and extra iterations of the mixing > function are thought to be helpful, I can't really see why not feed in > 0xFFFF every 100ms from a timer -- it'd do about as much good. It doesn't hurt at startup time. It doesn't hurt at any time. Mixing in data an adversary knows *never* hurts you. What hurts you is *not* mixing in enough information the attacker does not know. You are confusing the issue by focusing on things that are not the problem. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]