Add extra explanatory comment about the DSA k generation.

author simon <simon@cda61777-01e9-0310-a592-d414129be87e>

Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)

committer simon <simon@cda61777-01e9-0310-a592-d414129be87e>

Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)
author simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)
committer simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)
diff --git a/sshdss.c b/sshdss.c

index b2179a8..4856306 100644 (file)
--- a/sshdss.c
+++ b/sshdss.c
@@ -546,9 +546,16 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
       * signing the same hash twice with the same key yields the
       * same signature.
       * 
-     * (It doesn't, _per se_, protect against reuse of k. Reuse of
-     * k is left to chance; all it does is prevent _excessively
-     * high_ chances of reuse of k due to entropy problems.)
+     * Despite this determinism, it's still not predictable to an
+     * attacker, because in order to repeat the SHA-512
+     * construction that created it, the attacker would have to
+     * know the private key value x - and by assumption he doesn't,
+     * because if he knew that he wouldn't be attacking k!
+     *
+     * (This trick doesn't, _per se_, protect against reuse of k.
+     * Reuse of k is left to chance; all it does is prevent
+     * _excessively high_ chances of reuse of k due to entropy
+     * problems.)
       * 
       * Thanks to Colin Plumb for the general idea of using x to
       * ensure k is hard to guess, and to the Cambridge University
author	simon <simon@cda61777-01e9-0310-a592-d414129be87e>
	Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)
committer	simon <simon@cda61777-01e9-0310-a592-d414129be87e>
	Sat, 22 Sep 2001 21:00:16 +0000 (21:00 +0000)