Subject: arc4random() bug? (leaks key bits after reseeding?)
To: None <itojun@iijlab.net>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 05/29/2002 03:34:42
So, I'm looking more closely at the arc4random() implementation than
before, and I have a question.  arc4_init does the usual thing with the
first several bytes of the stream (to avoid leaking key bits into the
output):

        /*
         * Throw away the first N words of output, as suggested in the
         * paper "Weaknesses in the Key Scheduling Algorithm of RC4"
         * by Fluher, Mantin, and Shamir.  (N = 256 in our case.)
         */
        for (n = 0; n < 256 * 4; n++)
                arc4_randbyte();

But when we "reseed" the cipher, we don't do this.  Looking at the
"reseeding" process, it seems to be equivalent to setting a new key
(though the new key depends on the old key as well as new random data).
Is it not the case that after doing this, we again need to discard the
beginning of the output stream to avoid leaking key bits?

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud