[rock-devel] [SM-2006042709405218849] Applied by teha

[Benjamin Schieder]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Paletta wrote:
> Benjamin Schieder wrote/schrieb/scripsit:
> 
>>>That whole code is bullshit crypto. First you're reading 1024 bits 
>>>(almost, no \n) of super paranoid randomness, then reduce to 128 bits 
>>>by applying MD5 to it.
>>
>>I can increase that to 256 Bits if it makes you feel better :-)
> 
> 
> That was not my point. In your code you are taking great pains to 
> acquire about 1024 bits of randomness, but then feed it into a digest 
> algorithm that produces only 128 bits of output. It doesn't matter if 
> you feed 129 bits, 1024 bits or 10240 bits into it -- the resulting key 
> is never going to be better than these 128 bits. There isn't necessarily 

Yes. It's just that md5sum was the easiest way I could think of to convert
anything to a hex value (which is what dmsetup expects). Do you know a (simple?)
method of converting arbitrary strings to hexh?
I use the same method to convert the passphrase for harddisk encryption to hex,
maybe a change is possible here, too?

> anything wrong with using a 128 bits key in the end, but your code 
> projects a false sense of security and uselessly depletes the entropy 
> pool. This isn't so serious from the purely technical point of view.  
> Rather it also suggests that you didn't take all relevant aspects into 
> consideration when you wrote this code. I take this as a grave flaw for 
> code that claims to improve security.

Actually, I really didn't. I wrote this code as a sort of 'example' for
rockinitrd plugins.

Greetings,
	Benjamin
- --
Today, memory either forgets things when you don't want it to,
or remembers things long after they're better forgotten.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFEWOtCr0OTeImXvg8RAgLbAKDLj6VaVJP2tSQen7bVVF/2lW6e2gCglumA
thFTiHNu1PcqOycy6VRKZSc=
=wqQ9
-----END PGP SIGNATURE-----