On Sun, May 18, 2008 at 10:07:03PM -0400, Theodore Tso wrote: > On Sun, May 18, 2008 at 05:24:51PM -0400, Thor Lancelot Simon wrote: > > So you're comfortable with the adversary knowing, let's say, 511 of > > the first 512 bits fed through SHA1? > > *Sigh*. > > Thor, you clearly have no idea how SHA-1 works. In fact, I'd be > comfortable with an adversary knowing the first megabyte of data fed > through SHA1, as long as it was followed up by at least 256 bits which > the adversary *didn't* know.
Thanks for the gratuitous insult. I'd be perfectly happy with the case you'd be happy with, too, but you took my one bit and turned it into 256. What I _wouldn't_ be happy with is a PRNG which has been fed only known data, but enough of it at startup that it agrees to provide output to the user. There are a terrible lot of these around, and pretending that stack contents are random is a great way to accidentally build them. Not feeding in data which you have a pretty darned good idea will be predictable -- potentially as the first bits in at RNG startup -- is to my mind one thing one can should do to avoid the problem. Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]