On Tue, Dec 21, 2010 at 01:24:55PM -0700, Kjell Wooding wrote:
> >"MD5(time), MD5(time + 1ns), MD5(time + 2ns) etc into the buffer. This
> does not increase entropy, but having more-or-less uncorrelated data
> in the entire buffer should make attacks more difficult."
>
> No. Unless you know something I don't, This is voodoo. To do it once might
> add something, but to do it multiple times, with strongly correlated inputs
> seems potentially dangerous. Especially since you are XORing them. Does
> anyone elsewhere in the cryptographic world do something like this?
>
> Can you prove there are no statistical weaknesses in MD5 for such inputs?
Note, as has been pointed out to me, that the kernel only relies on the
entropy of nanotime() until we can get some actual data in, i.e. for a
*very* short time. Thus, this whole discussion is probably moot.
Of course I can't prove that MD5 works, but there *is* some actual
reasoning behind the code I sent:
- random XOR anything_uncorrelated is random, so this shouldn't hurt;
- the output of MD5(time) and MD5(time + 1ns) should look very
different for (practical) hash functions. To the best of my knowledge,
no vulnerabilities *of this kind* are known in MD5;
- spreading the entropy over the entire key should be preferable to
concentrating it in a few bits.
That said, the last "should" is not a very strong argument.
I'm not aware what others do; certainly, no cryptographer will be happy
with a PRNG seeded by a timestamp, so this is not exactly best practice
(probably the best we can do at that time, though.)
Joachim
