[Cryptography] What's a Plausible Attack On Random Number Generation?

[Bill Stewart]

At 07:21 AM 11/1/2013, Jerry Leichter wrote:
>On Nov 1, 2013, at 7:04 AM, Yaron Sheffer <yaronf.ietf at gmail.com> wrote:
> > It sounds like a quick addition to DHCP - an extension that gets 
> you 256 bits from the server, would solve 99% of the problem we 
> have with embedded devices. It will not be sufficient for 
> high-security environments, because an attacker might be listening 
> on the local LAN....
>Ahem.  This is *exactly* the kind of reasoning I started this thread 
>to investigate.  (Though I certainly agree that a *single* DHCP 
>packet containing a random bit string is easily attacked.)

It's slightly backwards as far as timing goes - if you're trying to 
run a pure client, you normally have physical input from the user and 
access to a sound card before running anything that needs to generate 
encryption keys, so you don't really need it, and if you're running a 
server, you almost always want a fixed IP address rather than a 
random one from the DHCP pool, so you're probably not going to ask 
for DHCP.  Also, if you're starting a brand-new-out-of-the-box 
server, it doesn't matter if it takes a few minutes before there's 
enough entropy to generate keys, because it's new, while the case 
where you care most about startup time is restarting a previously 
running server that was shut down, so you would have saved a seed by 
then.  I guess that Cloud World may have occasion to care about how 
long it takes to provision a brand-new server from a canned image, 
and need to generate an ssh key so a user can log in to update the 
rest of their software, because they're paying by the millisecond, 
but are they likely to use DHCP as opposed to having Chef/Puppet give 
them an address?