[Cryptography] Underhanded Crypto

Wed Dec 3 13:32:31 EST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed Dec 03 2014 at 7:22:18 AM Ray Dillinger <bear at sonic.net> wrote:

>> [....] relying on uninitialized memory alone,
>> or even mostly, to produce a good PRNG state is crayzee.

On 12/03/2014 05:20 AM, Ben Laurie retorted:
> So crayzee its not what was going on. In fact, what was going on is what
> you just described. Which you would've known if you actually bothered to
> understand the issue.
> 
> But do carry on bloviating. It is _so_ enlightening.

How firmly has it been established that there is no craziness
is going on?  It seems to me that OpenSSL is a library.  The 
code in question
  https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L206
  https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L302
is not called from within OpenSSL AFAICT, so presumably it gets 
called from some higher layer.  Has somebody checked all possible 
applications to verify that whenever purify complains about an 
uninitialized seed, the app is doing things correctly?  If so, 
please cite a reference so we can all read about it.

Not as a strict proof, but as a plausible inference, experience
suggests that folks who use an uninitialized seed are doing so
because they don't trust their other seed-sources.  So at least
sometimes, it is a blind man clutching at a straw that isn't there.
Conversely, if there is a proof that uninitialized seeds are used
only when they are not needed, please explain.

Two wrongs do not make a right ... and fixing one wrong does not
fix the other.  Reverting an iatrogenic error does not mean that
the patient is cured;  the presenting complaint is still there.