On Thu, 2019-02-28 at 14:52 +0000, Ian Jackson wrote: [...] > > to initialise a stretching RNG (arc4random) > > Why are you feeding this through a separate hashing function rather > than letting the kernel PRNG's hasher do it ? I am seriously > unconvinced that arc4random is a good idea here. I agree. [...] > > • it means you trust a seed file and the arc4random algorithm (to make > > a uniform enough stream from the various seeds) > > The question is nothing to do with its uniformity. The kernel PRNG > will hash its input. I think you can feed it whatever. Yes. > If the RC4 were critical to the security properties of your scheme, > then I would be making a much stronger complaint, because RC4 is (of > course) broken (when used as a supposedly cryptographically secure > pseudorandom bitstream generator). The "arc4random" functions really use ChaCha20 today, anyway. Ben. > I hope you have found this review helpful. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't.
Attachment:
signature.asc
Description: This is a digitally signed message part