--
> > > Oh dear! This suggestion worries me.
> > > Is it reasonable to expect this arrangement to be secure
> > > against e.g. chosen-entropy attacks?
On Mon, 26 Jul 1999, James A. Donald wrote
> > Yes If the attacker knows exactly when the packets arrive (which he
> > cannot) this cannot give him any additional knowledge about the state.
At 1018 AM 7/26/99 -0700, bram wrote
> The threat model for yarrow and other SRNG's is that the attacker can not
> only tell when entropy is coming in, but control it's contents as well.
The assumption was that entropy was the time of arrival. Even if the
attacker has control over the entropy added to the RC4 state, this cannot
give him any additional information about the state of the RC4 generator.
Thus the worst case is the same as if you did nothing, and of course from
time to time a packet will arrive that did not come from the attacker,
adding entropy of which the attacker is unaware and cannot control.
> The idea is to build something which only fails if the attacker both knows
> the state of the pool at some point and manages to control all attempted
> reseedings.
An RC4 state fulfills this requirement, plus if we reseed from the time of
arrival of packets, the attacker cannot control all incoming packets, thus
even if at some point he knows the state of the pool, that knowledge will
soon be lost.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Kdyo4Br88Xlrpmdxedxsb+iRl+WbUY9Q2lin8JGP
4hxPM9bxlC8ZeyNeBRnazTzz0j0G45vOXSp/3e6kl