[Cryptography] Entropy Needed for SSH Keys?
Ray Dillinger
bear at sonic.net
Mon May 23 14:09:46 EDT 2016
On 05/22/2016 09:19 AM, Alexander Klimov wrote:
> The proper design is to use TRNG to seed DRBG (aka PRNG) and use only
> DRBG for crypto purposes. The idea that entropy of DRBG state can be
> lost due to its use is misleading. Once you have enough bits to seed
> DRBG (say, 384 bits for 256-bit security) you can use DRBG to
> generate all the keys you need.
>
> The only reason one may want to reseed DRBG (by getting more bits from
> TRNG) is if he is afraid that someone learned the DRBG state (say, by
> reading kernel memory). I guess it is not your case.
This is very close to true. It is certainly true if one trusts the
algorithm and coding of one's DRBG and intends to produce less than
a few trillion keys.
But, honestly, I sincerely question the idea that you need random
numbers "early" in the boot process. It's like thinking that you
have to be in the middle of a long-distance call before you can
hook up your phone. We were building operating systems that could
finish booting up without network connections a long time ago.
Thinking that we've lost that technology is silly. A non-networked
operating system on a machine with sensors can run a program
capable of gathering entropy, gather entropy, and *then* start
using the network.
So, if you're looking at a situation where anything is asking for
key generation before bootup is even complete, you're looking at
a design failure. It is bad design to do something the hard way
when there is an easy way that is more reliable.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160523/feaedd65/attachment.sig>
More information about the cryptography
mailing list