On Tue, Dec 21, 2010 at 01:33:46PM -0700, Theo de Raadt wrote:
> > - Instead of XOR'ing the results of nanotime into the buffer, XOR
> > MD5(time), MD5(time + 1ns), MD5(time + 2ns) etc into the buffer. This
> > does not increase entropy, but having more-or-less uncorrelated data
> > in the entire buffer should make attacks more difficult.
>
> I do not understand what hashing principle you are basing this on.
>
> In essence, md5 doesn't care what is in the buffer, or where it is.
> Placing it at the front, vs massaging it in by hand... Fundamentally
> there is no difference... or is there?
This was based on the following intuition, which has very little to do
with hashing at all:
If our RC4 state is <nanotime_noise><known>, an attacker may be able to
predict *most* of the RC4 state through the first couple of rounds
(until <nanotime_noise> sufficiently interferes with the known state).
It *seems harder* (but I'm not an expert on this kind of thing!) to
predict the first couple of rounds if <nanotime_noise> is hashed (which
means that you have to re-do the complete calculation for each possible
<nanotime_noise>, which may not necessarily be the case above), and if
this hashing is used to distribute the noise over the entire initial
state of the cipher (so that no known portion exists).
Again, though, this is just intuition, and it's not wise to trust our
intuition in this kind of thing. I actually *am* a cryptographer, but
I'm quite new at it and a mathematician specializing in a very different
area, so don't take this as gospel. (I'd be willing to spend some more
time looking into this if we consider it important.)
Joachim
