Quote:
Originally Posted by H_TeXMeX_H
Just want to note that md5 is most definitely NOT a cryptographically secure hash. It is known to have collisions:
http://en.wikipedia.org/wiki/Md5#Security
I would have used a newer, better hash, probably a higher SHA hash or whirlpool. I have actually used whirlpool in my own RNG experiments.
Also, the quality of your TRNG varies greatly with the noise in the room. This is a potential vulnerability.
As long as you don't use the TRNG for anything critical, it should work for other purposes.
|
Yes of course, this is true. MD5 is not cryptographically secure, however, this library does not use MD5 sums to verify anything, instead, it uses MD5 only as "whitening" for the data from the microphone. So yes, there are collisions, however, in this particular usage, collisions don't need to reduce security, the numbers are still not predictable.
Also, luck_rng() only uses half of the MD5 hash anyway, and luck_event() reduces the result to an 8 bit number. MD5 is used only for "whitening". (however, the full MD5 function is available for application use)
If people are really still worried about MD5, then maybe I can switch it to whirlpool.
Also, the library is meant mostly for games and amusement. I am not a cryptography guy, I did not design it for cryptography, therefore, you should NOT use it for something critical UNLESS you can look at my code and verify that it is secure enough.