tech-security: Re: arc4random() bug? (leaks key bits after reseeding?)

Subject: Re: arc4random() bug? (leaks key bits after reseeding?)
To: None <tls@rek.tjls.com>
From: None <itojun@iijlab.net>
List: tech-security
Date: 05/29/2002 17:26:52

>So, I'm looking more closely at the arc4random() implementation than
>before, and I have a question.  arc4_init does the usual thing with the
>first several bytes of the stream (to avoid leaking key bits into the
>output):
>
>        /*
>         * Throw away the first N words of output, as suggested in the
>         * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
>         * by Fluher, Mantin, and Shamir.  (N = 256 in our case.)
>         */
>        for (n = 0; n < 256 * 4; n++)
>                arc4_randbyte();
>
>But when we "reseed" the cipher, we don't do this.  Looking at the
>"reseeding" process, it seems to be equivalent to setting a new key
>(though the new key depends on the old key as well as new random data).
>Is it not the case that after doing this, we again need to discard the
>beginning of the output stream to avoid leaking key bits?

	i'm not sure about the answer, but from what i've seen from openbsd
	sys/dev/rnd.c, openbsd does not seem to have the above "for" loop.

itojun