It sure does. But it's just SHA1(0) || SHA1(1) || SHA1(2). It has only a tiny bit of entropy when you know how it is constructed.
Yes that was one example I had in mind, but I'd be cautious about assuming more subtle ones don't exist.
-
-
The key part here is that a transistor-level RDRAND output that just mirrors the existing pool is fairly feasible.
-
Whereas the amount of logic required to attack a hash-based system would be much larger and much more obvious to anyone looking.
-
Not thinking purely silicon. Something heartbleed-like could allow more advanced attacks.
-
Heartbleed was a memory disclosure limited to the target process. It wouldn't be affected by entropy mixing choice.
-
Were you thinking of Rowhammer? That's probably more relevant.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.