[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

On Sat, Mar 30, 2013 at 05:13:23PM +0200, Timo Juhani Lindfors wrote:
> +          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";

Are you sure HMAC is immune against extension attacks on the "key"? You
may want to append it to the name instead.


It would be illogical to kill without reason.
		-- Spock, "Journey to Babel", stardate 3842.4

Reply to: