Hi, thanks a lot for your detailed explanation.
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200: > OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with > SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt > to add any input to it as the entropy in the pool can never decrease > by mixing in more bytes. ok, I just think that at least the last sentence is not neccesarily correct, namely when the entropy sources depend on each other. I guess if SHA-1 is assumed perfect here (and because of the kind of mix which is using it) it might be impossible to construct the data dependency in a way to abuse that because no reversion of SHA-1 should be know, so practically no impact. But in another (general) case it could harm, for instance in worst case the mix function could be an XOR and the dependency of input sources could be a symbolic link, leading to infinite zeros as entropy. Of course this is very artificial, but maybe other dependencies could lead to a weakness of entropy when mixing it with dependent/derived entropy? oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
