[Cryptography] real random numbers

[Kent Borg]

On 09/15/2013 10:19 AM, John Kelsey wrote:
> But those are pretty critical things, especially (a). You need to know 
> whether it is yet safe to generate your high-value keypair. For that, 
> you don't need super precise entropy estimates, but you do need at 
> least a good first cut entropy estimate--does this input string have 
> 20 bits of entropy or 120 bits? 

Yes, the time I was part of designing a physical RNG product (for use in 
real gambling, for real money) we made sure to not only sweep up all the 
entropy sources we could, and not only mixed in fixed information such 
as MAC addresses to further make different machines different, our 
manufacturing procedures included pre-seeding the stored pool with data 
from Linux computer that had a mouse and keyboard and lots of human input.

We did not try to do entropy accounting, but did worry about having enough.

We also were going way overboard on security thinking, far exceeding 
regulatory requirements for any jurisdiction we looked at.  I don't know 
if it every shipped to a customer, but we got all the approvals 
necessary so it could have...

I do agree that, though a Linux box might make keys on its first boot, 
it should be used interactively first, and then generate keys.

Again Ubuntu (at least a "desktop" install) doesn't include sshd by 
default, you have to decide to install it, and at that point, if there 
is a human setting up things with a keyboard and mouse, there should be 
a lot of entropy.  Ubuntu "server" installations might be different, and 
I would be very worried about automatic provisioning of server machines 
in bulk.

-kb