Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

To: Kurt Roeckx <kurt@roeckx.be>
Cc: debian-devel@lists.debian.org
Subject: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
Date: Sat, 30 Mar 2013 17:13:23 +0200
Message-id: <[🔎] 84y5d4vs30.fsf@sauna.l.org>
In-reply-to: <[🔎] 20130330144109.GA2204@roeckx.be> (Kurt Roeckx's message of "Sat, 30 Mar 2013 15:41:09 +0100")
References: <84ehrdh2rg.fsf@sauna.l.org> <[🔎] 20130330144109.GA2204@roeckx.be>

Kurt Roeckx <kurt@roeckx.be> writes:
> I just pushed a change for this issue to my git repo at:
> http://anonscm.debian.org/gitweb/?p=users/kroeckx/devotee.git;a=summary
>
> I would be grateful if people can review that.

commit e7f81870d1f8b18e5dcc855e9a001fab95112c0f (Fix generation of
secret key for secret votes) looks otherwise ok but the

-          md5_hex("$name $alias obfuscate\n"), "\n";
+          hmac_sha256_hex($name, "obfuscate"), "\n";

part probably needs some further work. Should it be

+          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";

?

Reply to:

Follow-Ups:
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Bastian Blank <waldi@debian.org>

References:
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Next by Date: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Previous by thread: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Next by thread: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Index(es):
- Date
- Thread