[Cryptography] Entropy Needed for SSH Keys?
Kent Borg
kentborg at borg.org
Mon May 23 12:51:18 EDT 2016
On 05/23/2016 12:13 AM, David Johnston wrote:
> While I'm gainfully employed as an RNG designer and general crypto
> security person, I hold the opinion that ignorance beats entropy.
Hear, hear!
I have long argued that an important consideration is the distance at
which your foe is forced to observe.
Consider the timing of a network interrupt.
A CPU's system clock doesn't even exist outside the CPU chip (clean
GHz-plus clock distribution is hard). So these digital chips go to the
extra effort of including an analog PLL to multiply up from a far lower
external oscillator that itself is fed only a very short distance to one
of the chip leads. So if it is a fast Intel-ish chip, an observer just a
few inches away will have a hard task to know what the Time Stamp
Counter's LSB will be at the instant the CPU reads it. And as the
observer's distance increases, low-order bits become unknowable--to that
observer. An observer at a couple meters is worse off than an observer
hovering over the CPU, and observer just at the other end of my
last-mile DSL link (millisecond-order latency) is going to be in the
dark about a lot of low order bits in the TSC. That observer likely can
estimate a little beyond the number of high-order zeros in the TSC (ie,
uptime).
When building an RNG, merely putting it in a big metal box--say, the
size of a computer--accomplishes a lot.
Unfortunately, Arm chips don't have counters running as fast a TSC, so
you get far less ignorance per interrupt per
meter-to-which-you-can-push-off-your-foe. But this ignorance is still
significant, if not entropy.
-kb
More information about the cryptography
mailing list