[Cryptography] Entropy Needed for SSH Keys?

Kent Borg kentborg at borg.org
Sun May 22 21:18:10 EDT 2016 

Dammit, I can neither remember nor find that quote about how using a 
deterministic process to make up random numbers is against nature, or 
grace, or the universe. Like I say, I can't find it.

On 05/22/2016 06:27 PM, Hanno Böck wrote:
> Here you have a fundamental misunderstanding (albeit a common one). 
> Entropy bits don't get used up (although Linux's /dev/random manpage 
> tries to tell you so). Once your rng is properly initialized with 
> enough entropy you can use it [...]

That agrees with another answer I got, but the worrywart in me frowns on 
putting so much faith in the perfection of SHA-1 (to pick a random 
version of Linux's drivers/char/random.c). Especially when it can be so 
easy to stir the pot and make a guessing observer's life a theoretical 
hell and not just a practical hell.

> [...] practically forever.

You hedge. Why? If the crypto is good, if it hides the pool state, 
what's the problem? At how many bits of draw does it become a problem? 
And why then? Why the hedge?


Another response I got also referred me to https://factorable.net/ but 
it looks completely experimental, watching keys degrade as the system is 
starved of entropy.


Let me try my own experiment:

   # strace ssh-keygen -t rsa

Lot of output, only one mention of the string "random":

   [...]
   open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
   fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
   poll([{fd=3, events=POLLIN}], 1, 10)    = 1 ([{fd=3, revents=POLLIN}])
   read(3, 
"\255J\373\231\323\256\251^\314\207MqkC\332\222^\352\275\307\373\351bM\267\273\260$G\232\301\r", 
32) = 32
   close(3)                                = 0
   [...]

(Was I supposed to say "dsa"? Okay...tried that too, same result.)

Looks to me like it read 256-bits. I would have expected it would have 
read more, just to waste if nothing else.

No where near using up 4096-bits (if "using up" even is real). Maybe do 
both DSA and RSA? It still would only "use" 1/8 of a 4096-bit pool.


-kb

More information about the cryptography mailing list