Subject: Re: arc4random() bug? (leaks key bits after reseeding?)
To: None <tls@rek.tjls.com>
From: None <itojun@iijlab.net>
List: tech-kern
Date: 05/29/2002 17:26:52
>So, I'm looking more closely at the arc4random() implementation than
>before, and I have a question. arc4_init does the usual thing with the
>first several bytes of the stream (to avoid leaking key bits into the
>output):
>
> /*
> * Throw away the first N words of output, as suggested in the
> * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
> * by Fluher, Mantin, and Shamir. (N = 256 in our case.)
> */
> for (n = 0; n < 256 * 4; n++)
> arc4_randbyte();
>
>But when we "reseed" the cipher, we don't do this. Looking at the
>"reseeding" process, it seems to be equivalent to setting a new key
>(though the new key depends on the old key as well as new random data).
>Is it not the case that after doing this, we again need to discard the
>beginning of the output stream to avoid leaking key bits?
i'm not sure about the answer, but from what i've seen from openbsd
sys/dev/rnd.c, openbsd does not seem to have the above "for" loop.
itojun