The old way was biasted towards the earlier values. Thanks to asn for
pointing this out and suggesting an alternative.
As an additional tweak, do not reuse the drbg seed when calculating the
IAT distribution, but instead run the seed through SHA256 first, for
extra tinfoil goodness.
This paves the way for having servers use the same seed for all
incoming connections, across multiple startup/shutdown cycles. As
opposed to the current situation where each Obfs4Listener will
randomly generate it's seed at creation time.
Additionally, use 256 bit seeds (128 bit SipHash-2-4 key + 16 bytes of
initial material).
The same algorithm as ScrambleSuit is used, except:
* SipHash-2-4 in OFB mode is used to create the distribution.
* The system CSPRNG is used when sampling the distribution.
This fixes most of #3, all that remains is generating and sending a
persistent distribution on the server side to the client.