[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

On Thu, 26 Apr 2012, Timo Weingärtner wrote:
> 2012-04-26, 23:23:54 Timo Juhani wrote:
> > Raphael Geissert <geissert@debian.org> writes:
> > > print hmac_sha1_hex($v, $m);
> > 
> > Yeah that sounds promising. Now we just need to fix the code that tries
> > to randomize the order of entries in the tally.
> 
> Is that randomization really needed? Why not just sort based on the hashes?

Please just short he HMAC output, you won't leak any more data that way,
and it actually makes the output more usable...

Also, unless there is a strong reason not to, please consider using
hmac_sha256_hex().

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: