[Cryptography] What's a Plausible Attack On Random Number Generation?

[Nico Williams]

On Fri, Nov 01, 2013 at 01:45:06PM -0700, John Denker wrote:
> On 11/01/2013 04:04 AM, Yaron Sheffer wrote:
> > Looks very much like an "implement it, standardize it and forget it"
> > kind of thing to me.
> 
> Alas, that leaves important parts of the problem unsolved.  We
> cannot "forget it" until we solve the whole problem.
> 
> For example:  SSH has to cut host keys when it is first used 
> (if not before).  This requires a lot of high-quality randomly-

An ssh-scan is still a first use from the point of view of the service.
And from the point of view of the user doing the scan.

> distributed bits.  There are a gazillion scenarios where this 
> has to happen /before/ the first DHCP happens.  For example, 
> I might need to "ssh root at localhost" in order to configure DHCP.

Hmmmm, well, ssh to localhost should be special.  If you're connecting
to / accepting on 127.0.0.1:22 or ::1:22 then the client a) shouldn't
care what the host key is, b) if the server doesn't yet have a key then
it could generate one for just this use and not any others.

(And, for ssh w/ GSS, ssh to localhost should replace "localhost" with
the host's hostname.)

It's a bug that ssh to localhost:22 is not special.

Nico
--