Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

To: debian-devel@lists.debian.org
Subject: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
From: Bastian Blank <waldi@debian.org>
Date: Sat, 30 Mar 2013 16:32:13 +0100
Message-id: <[🔎] 20130330153213.GA12216@waldi.eu.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 84y5d4vs30.fsf@sauna.l.org>
References: <84ehrdh2rg.fsf@sauna.l.org> <[🔎] 20130330144109.GA2204@roeckx.be> <[🔎] 84y5d4vs30.fsf@sauna.l.org>

On Sat, Mar 30, 2013 at 05:13:23PM +0200, Timo Juhani Lindfors wrote:
> +          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";

Are you sure HMAC is immune against extension attacks on the "key"? You
may want to append it to the name instead.

Bastian

-- 
It would be illogical to kill without reason.
		-- Spock, "Journey to Babel", stardate 3842.4

Reply to:

References:
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>

Prev by Date: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Next by Date: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Previous by thread: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Next by thread: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Index(es):
- Date
- Thread