[Cryptography] where shall we put the random-seed?

[Jerry Leichter]

It occurs to me as I read this that any device that can boot from a LiveCD or a USB stick *inherently has a potential user-controllable input device* - namely, the CD or USB reader.  If you can get the user to pull out and replace the CD or USB drive a couple of times, the timing could give you a reasonable amount of unpredictable, uncontrollable variability to leverage in initializing your RNG.

This is obviously not applicable in all situations.  The assumptions are:

1.  The user is actually present during boot;
2.  The user is in a position to, and willing to, help;
3.  The medium is removable and re-insertable without causing issues for the hardware (e.g., forcing a hardware reset);
4.  Software can detect removal and re-insertion;
5.  There is some means for the system to communicate to the user when it wants him to pull and replace the medium, and when it's done booting.  This may be a very relaxed requirement, with the "communication" being virtual - through user-level elapsed time.  For example, something like:  "Boot the device; wait for a count of 20; remove the medium; count to 5; re-insert; count to 5; repeat the remove/re-insert sequence about 5 times" might be good enough in some cases.

Note that the availability of a high-precision clock is *not* required - the system isn't doing anything else useful while waiting for the removal and re-insertion so it can use timing loops with counters to measure elapsed time.  (R
The time between when it requests removal and when that actually happens is just as variable as the re-insertion time and should be included.)

A specialized set of requirements - many systems have much more capability to communicate with the user; some on the other hand have none.  But it's always useful to have mechanisms available for as broad an array of potential situations as possible.
                                                        -- Jerry