[Cryptography] Entropy Needed for SSH Keys?

[Kent Borg]

On 05/23/2016 12:13 AM, David Johnston wrote:
> While I'm gainfully employed as an RNG designer and general crypto 
> security person, I hold the opinion that ignorance beats entropy.

Hear, hear!

I have long argued that an important consideration is the distance at 
which your foe is forced to observe.

Consider the timing of a network interrupt.

A CPU's system clock doesn't even exist outside the CPU chip (clean 
GHz-plus clock distribution is hard). So these digital chips go to the 
extra effort of including an analog PLL to multiply up from a far lower 
external oscillator that itself is fed only a very short distance to one 
of the chip leads. So if it is a fast Intel-ish chip, an observer just a 
few inches away will have a hard task to know what the Time Stamp 
Counter's LSB will be at the instant the CPU reads it. And as the 
observer's distance increases, low-order bits become unknowable--to that 
observer. An observer at a couple meters is worse off than an observer 
hovering over the CPU, and observer just at the other end of my 
last-mile DSL link (millisecond-order latency) is going to be in the 
dark about a lot of low order bits in the TSC. That observer likely can 
estimate a little beyond the number of high-order zeros in the TSC (ie, 
uptime).

When building an RNG, merely putting it in a big metal box--say, the 
size of a computer--accomplishes a lot.

Unfortunately, Arm chips don't have counters running as fast a TSC, so 
you get far less ignorance per interrupt per 
meter-to-which-you-can-push-off-your-foe. But this ignorance is still 
significant, if not entropy.

-kb