On Mon, May 19, 2008 at 12:30:42PM -0400, Thor Lancelot Simon wrote:
> Thanks for the gratuitous insult. I'd be perfectly happy with the case
> you'd be happy with, too, but you took my one bit and turned it into 256.
But your example is NOT what openssl does.
I recently had similar issue with Linux's /dev/random, where folks
were similarly confused. You see, the issue that SHA-1 takes its
input in 512 bits chunks of data. If you are only mixing in 256 bits
of randomness, the question is what to do with the other 256 bits.
You could waste CPU time zero'ing out those bits, or you can just
shrug your shoulders and say, "I don't care". The problem is people
who don't understand say "OMG!!! Ur using unitializated data!", not
getting the fact that whole point was to mix in the 256 bits of
entropy. The other uninitialized bits might add more information
unknown to the adversary (in which case it helps), or it might not (in
which case it doesn't matter, because what you're really depending on
is the 256 bits of entropy from a good entropy source).
Of course, you could use the argument that it's a bad idea because a
clueless Debian developer might comment out the call entirely due to
some misguided notion that using uninitialized data was somehow a
security problem. Until last week, I would have thought that was a
silly argument, but apparently there are people that clueless/stupid/
careless out there....
- Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
