LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] serious Debian/Ubuntu security hole found

[ILUG] serious Debian/Ubuntu security hole found

paul at clubi.ie paul at clubi.ie
Sat May 17 12:13:07 IST 2008 

On Sat, 17 May 2008, Timothy Murphy wrote:

> Are you an expert on Zener diodes, or are you taking the word
> of someone who is?

And are you? Also, mathematics is a wide field - are you an expert on 
random numbers and PRNGs? ;)

At the end of the day, engineers have to use their reasoning and 
experience to figure out how to best apply the results from the 
physical, mathematical and computational sciences - and not always 
with ful understanding of the theory that lead to those results. My 
understanding is that best practice at the moment is to try mix* 
empirical entropy together with a cryptographic PRNG**, to try get 
the best of both worlds - so knowledge of both inputs is required to 
know the output**.

Experience tells us that even once popular and widely-used PRNG 
algorithms can later be found to have flaws. Also, we're all 
well-aware that the real world is both malleable and not 
well-understood.

I'm curious why people here should favour your arguments and ignore 
best-practice in computer engineering. If your arguments should be so 
convincing then surely we should we be reading of them in a paper in 
a peer-reviewed journal? :)

--paulj

* This can be done in ways that ensure output always contains
   supposed entropy from both, or done so that empirical entropy is
   mixed in with the PRNG as it's available.

** The OpenSSL one uses SHA-1

*** Course, this is easy to get wrong too, OpenSSL had a big flaw
     ages ago:

     http://www.mail-archive.com/openssl-announce@openssl.org/msg00024.html

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
"Imitation is the sincerest form of television."
-- The New Mighty Mouse

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell