lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Aug 2012 12:28:47 +0200
From: Marcus Meissner <meissner@...e.de>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how i stopped worrying and loved the backdoor

On Sat, Aug 18, 2012 at 04:00:20PM -0700, coderman wrote:
> Dan just released "DakaRand"
>   http://dankaminsky.com/2012/08/15/dakarand/
> 
> src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz
> 
> while admitting that "Matt Blaze has essentially disowned this
> approach, and seems to be honestly horrified that I’m revisiting it"
> and "Let me be the first to say, I don’t know that this works." this
> mode would greatly reduce, maybe eliminate the incidence of key
> duplication in large sample sets (e.g. visibly poor entropy for key
> generation)
> 
> the weak keys[0] authors clearly posit that they have detected merely
> the most obvious and readily accessible poor keys, and that further
> attacks against generator state could yield even more vulnerable
> pairs... you have been warned :P
> 
> the solution is adding hw entropy[1][2] to the mix. anything less is
> doing it wrong!
> 
> if you don't have hw entropy, adding dakarand is better than not.

Lots of people are using "haveged" already, it operates on a similar principle.

http://www.issihosts.com/haveged/

Ciao, Marcus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists