Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
On Thu, 26 Apr 2012, Timo Weingärtner wrote:
> 2012-04-26, 23:23:54 Timo Juhani wrote:
> > Raphael Geissert <email@example.com> writes:
> > > print hmac_sha1_hex($v, $m);
> > Yeah that sounds promising. Now we just need to fix the code that tries
> > to randomize the order of entries in the tally.
> Is that randomization really needed? Why not just sort based on the hashes?
Please just short he HMAC output, you won't leak any more data that way,
and it actually makes the output more usable...
Also, unless there is a strong reason not to, please consider using
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot