[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

On Sun, Mar 31, 2013 at 01:03:52PM +0300, Timo Juhani Lindfors wrote:
> Kurt Roeckx <kurt@roeckx.be> writes:
> >> -          md5_hex("$name $alias obfuscate\n"), "\n";
> >> +          hmac_sha256_hex($name, "obfuscate"), "\n";
> >> 
> >> part probably needs some further work. Should it be
> >> 
> >> +          hmac_sha256_hex($name, $alias + "obfuscate"), "\n";
> >
> > This is for the dummy sheet.  It only contains dummy data.  I see
> > no reason to use part of the real key to generate the a dummy hmac.
> 
> Then why use hmac at all in the dummy sheet? Why not just print $name
> there?

I'll probably change it to use sha256_hex() instead so that it
looks like the output of the hmac.


Kurt
Reply to: