On Mon, 27 Dec 2010, Kjell Wooding wrote:

quoted text
> The OpenBSD random number subsystem uses an in-kernel entropy pool. This
> data isn't used directly. When entropy is requested, the contents of the
> pool are hashed with MD5, and the massaged output used to seed an RC4 PRNG.
> 
> In looking at the code, however, I notice we actually fold the MD5 output in
> half. From extract_entropy():
> 
>               MD5Final(buffer, &tmp);
> 
>                 /*
>                  * In case the hash function has some recognizable
>                  * output pattern, we fold it in half.
>                  */
>                 buffer[0] ^= buffer[15];
>                 buffer[1] ^= buffer[14];
>                 buffer[2] ^= buffer[13];
>                 buffer[3] ^= buffer[12];
>                 buffer[4] ^= buffer[11];
>                 buffer[5] ^= buffer[10];
>                 buffer[6] ^= buffer[ 9];
>                 buffer[7] ^= buffer[ 8];
> 
>                /* Copy data to destination buffer */
>                 bcopy(buffer, buf, i);
>                 nbytes -= i;
>                 buf += i;
> 
> My question: Why? What exactly are we protecting against, and is this really
> protection? (the comment indicates "some recognizable output pattern, but
> that means little to me as is) Can we really be sure it doesn't make things
> worse?

I think it is intended to make preimage attacks more difficult.

quoted text
> Is this done elsewhere, or is it our particular brand of voodoo?

I'm not aware of it being done elsewhere. Usually the recommendation is
to truncate, rather than fold hash output.

IMO we should reassess the output hash. Something like Whirlpool might be
significantly faster given its large block size.

-d