Hi Ish,
At 11:47 10-04-2017, Ish Sookun wrote:
>I saw your comment [1] on twitter about this catchy title by a press in
>Mauritius about defying the [removed]. You asked
>whether it is about RC4 and the answer was affirmative. Your next tweet
>includes a link [2] to the version control repository of FreeBSD. Did I
>understand well that the patch for 'arc4random.c' is suggested as a
>bandaid [3]?
I sometimes read the local tech-related news articles. I asked the
journalist whether it was about RC4 as the news article did not
contain the technical details which I was interested in. The patch
is described as a bandaid as RC4 is no longer recommended and because
OpenBSD has already switched from RC4 to ChaCha20. I was interested
in where the patch came from; it was from FreeBSD.
>I had a glance at the paper [4] by Ilya Mironov in which he proposed
>dumping at least the first 512 bytes of the RC4 stream cipher output.
>
>I imagine your tweet intended a *pun* but I am not sure which was it,
>the bandaid part (which means the patch is just temporary, until a
>stronger pseudorandom number generator is used) or is it completely
>missing due credits to Ilya Mironov?
My tweet was a simple question. As I received a reply I provided a
link in case anyone was interested in RC4. There is an academic
paper [1] from 2001 about the RC4 security issue. I wondered about
whether it was worthwhile to provide a temporary patch instead of
porting code which is already available from OpenBSD. There was also
a short discussion on a FreeBSD mailing list in March about the
issue. I didn't mention all that as nobody was interested in a
technical discussion [2] the topic.
Regards,
S. Moonesamy
1.
http://dl.acm.org/citation.cfm?id=694759
2. I also read about
https://lists.freebsd.org/pipermail/svn-src-head/2015-February/068405.html
Received on Mon Apr 10 2017 - 21:30:34 PST