On Sat, Aug 2, 2014 at 11:46 AM, Jacob Appelbaum <jacob@???> wrote:
>
> I'm not really convinced. An attacker who attacks the RNG is going to
> find all of the plausable public seeds. This is what brl did with
> exegesis to attack the Debian RNG bug:
yes, the difference is that different seeds require a different search
space - similar to salting a hash.
the salt does not prevent dictionary attacks, but it does prevent
relatively cheaper dictionary attacks.
> In talking with Tanja Lange, she points me to this OpenSSL-fixed table:
>
> http://www.projectbullrun.org/dual-ec/performance.html
>
> The clock is not a very good entropy source, as expected.
this is why the only "true fix" is a robust hardware entropy source
with access to raw samples (not obscured DRBG output like
RDRAND/RDSEED)
