Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
On Sun, Mar 31, 2013 at 01:03:52PM +0300, Timo Juhani Lindfors wrote:
> Kurt Roeckx <kurt@roeckx.be> writes:
> >> - md5_hex("$name $alias obfuscate\n"), "\n";
> >> + hmac_sha256_hex($name, "obfuscate"), "\n";
> >>
> >> part probably needs some further work. Should it be
> >>
> >> + hmac_sha256_hex($name, $alias + "obfuscate"), "\n";
> >
> > This is for the dummy sheet. It only contains dummy data. I see
> > no reason to use part of the real key to generate the a dummy hmac.
>
> Then why use hmac at all in the dummy sheet? Why not just print $name
> there?
I'll probably change it to use sha256_hex() instead so that it
looks like the output of the hmac.
Kurt
Reply to: