Date: Tue, 11 Mar 2003 17:01:36 -0700 From: Theo de Raadt <deraadt@cvs.openbsd.org> To: Robin Carey <robin@wizardsworks.org> Cc: bugs@openbsd.org, freebsd-bugs@freebsd.org Subject: Re: ARC4 algorithm Message-ID: <200303120001.h2C01aTL029674@cvs.openbsd.org> In-Reply-To: Your message of "Tue, 11 Mar 2003 15:51:27 PST." <Pine.LNX.4.44.0303111545450.7264-100000@wizardsworks.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Fact: The ARC4 algorithm is multiply and badly broken. > So why is it still being used in OpenBSD and FreeBSD ? > > Here are two URLs which have free source code for CSPRNGs which are > vastly superior to ARC4: > > http://www.burtleburtle.net/bob/rand/isaac.html > http://wizardsworks.org/~robin/leopard.html > > Anybody who chooses to reply to this email better do so in a polite and > friendly manner. OK, how's this for polite: It is used because it is not nearly as broken as you claim it to be. Perhaps you are reading different books than I am reading. Perhaps you are not aware that the code is using well documented workarounds. Secondly, we are not using replacements that are new and as yet not well researched. Thirdly, we are using ARC4 in places where it has specific values, and I would be utterly shocked to see you find us using it in a place where the flaws matter. Is using ARC4 in our random number generator a security flaw? Please describe exactly how, but when you do, please don't include me in the cc. I must thank you for your detailed analysis showing how we are using it wrong. Forever in your debt, Theo. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303120001.h2C01aTL029674>