On Tue, Dec 21, 2010 at 07:45:09PM +0100, Kurt Knochner wrote:
> A last thing:
>
> From: src/lib/libc/crypt/arc4random.c
>
> arc4_stir(void)
> {
> <snip>
>
> /*
> * Discard early keystream, as per recommendations in:
> * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
> */
> for (i = 0; i < 256; i++)
> (void)arc4_getbyte();
> arc4_count = 1600000;
> }
>
>
> The first 256 Bytes will be skipped due to the mentioned paper. Similar code
> exists in rnd.c.
>
> /*
> * Throw away the first N words of output, as suggested in the
> * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
> * by Fluher, Mantin, and Shamir. (N = 256 in our case.)
> */
> rc4_skip(&arc4random_state, 256 * 4);
> mtx_leave(&rndlock);
>
> However here, 1024 bytes (256 * 4) will be skipped. Maybe that's just a
> misinterpretation of what a "word" is (byte or integer).
Could be. As I read it in the paper by Fluhrer, Mantin and Shamir, it
means discard 256 bytes, since n = 8 and N = 256. Though some
references (found via wikipedia) suggest to increase the number of
bytes discarded.
-Otto
>
> Maybe I'm paranoid and see problems where there are none. But then, this is
> part of the crypto code and there should be no open questions about the
> implementation details.
>
> Regards
> Kurt Knochner
>
> http://knochner.com/
