[Cryptography] What's a Plausible Attack On Random Number Generation?

[Glenn Willen]

On Nov 1, 2013, at 1:45 PM, John Denker wrote:
> 
> Alas, that leaves important parts of the problem unsolved.  We
> cannot "forget it" until we solve the whole problem.
> 
> For example:  SSH has to cut host keys when it is first used 
> (if not before).  This requires a lot of high-quality randomly-
> distributed bits.  There are a gazillion scenarios where this 
> has to happen /before/ the first DHCP happens.  For example, 
> I might need to "ssh root at localhost" in order to configure DHCP.

Perhaps we're going about this the wrong way. If the machine isn't on the network yet, then it doesn't really need a secure host key. Maybe if we need keys for the configuration process, such as ssh host keys, we should then throw them away and regenerate them (as a one-time process) after configuration is complete? That way the long-term keep-it-for-decades key doesn't have to be the same key we generated at the absolute least-entropy time in the machine's lifecycle.

Honestly, how much would it hurt to do the same thing in the general case? Let ssh generate a host key on first boot, then once the entropy pool fills, throw the key away and generate a new permanent key? There will be a short window during which _maybe possibly_ the key is slightly weak, but we wouldn't be using an all-zeroes key or anything during that time. And the permanent key will be a lot safer for longterm use.

Glenn