[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

On Sat, Mar 30, 2013 at 05:13:23PM +0200, Timo Juhani Lindfors wrote:
> Kurt Roeckx <kurt@roeckx.be> writes:
> > I just pushed a change for this issue to my git repo at:
> > http://anonscm.debian.org/gitweb/?p=users/kroeckx/devotee.git;a=summary
> >
> > I would be grateful if people can review that.
> 
> commit e7f81870d1f8b18e5dcc855e9a001fab95112c0f (Fix generation of
> secret key for secret votes) looks otherwise ok but the
> 
> -          md5_hex("$name $alias obfuscate\n"), "\n";
> +          hmac_sha256_hex($name, "obfuscate"), "\n";
> 
> part probably needs some further work. Should it be
> 
> +          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";

This is for the dummy sheet.  It only contains dummy data.  I see
no reason to use part of the real key to generate the a dummy hmac.


Kurt
Reply to: