[Cryptography] Entropy Needed for SSH Keys?

Alexander Klimov alserkli at inbox.ru
Sun May 22 12:19:03 EDT 2016


On Sat, 21 May 2016, Kent Borg wrote:
> Embedded devices are frequently starved for entropy, and frequently want to
> generate SSH keys on first boot when the entropy might be in particularly
> short supply.
> 
> How much entropy does modern openssh key generation need?
> 
> In a case I am playing with I want my own 512-bits of entropy after the ssh
> keys are generated. If I can come up with a nice plump 4096-bits at boot
> (common pool size these days for Linux urandom), and then generate the ssh
> keys, how many bits will be left over?

The proper design is to use TRNG to seed DRBG (aka PRNG) and use only 
DRBG for crypto purposes. The idea that entropy of DRBG state can be 
lost due to its use is misleading. Once you have enough bits to seed 
DRBG (say, 384 bits for 256-bit security) you can use DRBG to 
generate all the keys you need.

The only reason one may want to reseed DRBG (by getting more bits from 
TRNG) is if he is afraid that someone learned the DRBG state (say, by 
reading kernel memory). I guess it is not your case.

-- 
Regards,
ASK


More information about the cryptography mailing list