[Cryptography] What's a Plausible Attack On Random Number Generation?

[Phillip Hallam-Baker]

Please when we are having this discussion, distinguish the two cases:

1) Generating public keypairs
2) Generating session keys

The security concerns for the two cases are completely different yet we
have seen the issue of ssh keys being used.

There is no excuse for not generating public key pairs on a machine that is
completely trusted and trustworthy and has a strong random seed and
effective means of capturing additional random input.


For session keys, I suggest that any device that is not capable of
generating a good public key pair should not be relying on its own random
seed either. So for that I would suggest that whatever process provisions
the public key or shared session key to the device also provision a random
seed to it.

When generating random numbers the device should always use multiple
sources and compliment the randomness from the random seed with other
sources. So the final random seed would be something like

R = R_1 XOR R_2 XOR R_3

Where

R_1 = randomness captured from environment
R_2 = randomness from seed embedded by manufacturer
R_3 = randomness from seed provided during provisioning.

Devices that can't generated good random keys are almost always going to be
devices that are slave to some other machine. So lets not get hung up about
how to generate good random seeds in my toaster or kettle or fridge. They
are only going to be on the net at all because I have provisioned them into
my network and granted them an access priv. I can easily provision in a
backup random seed at the same time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131103/b009f67d/attachment.html>