[Cryptography] Entropy Needed for SSH Keys?

Theodore Ts'o tytso at mit.edu
Mon May 23 11:35:56 EDT 2016 

On Sun, May 22, 2016 at 09:13:20PM -0700, David Johnston wrote:
> While I'm gainfully employed as an RNG designer and general crypto security
> person, I hold the opinion that ignorance beats entropy.
> 
> In one sense, ignorance of the state of a system can be equated to that
> system having entropy relative to the thing that is ignorant of the state of
> the system.
> 
> However we tend to think of entropy as being an intrinsic thing, arising
> from underlying quantum uncertainty, rather than a relative thing.
> 
> However we know we don't have a complete understanding of quantum physics or
> quantum uncertainty, whereas we know all about ignorance. You can rely on
> ignorance. If someone is ignorant of your key, the key works just fine in a
> crypto system that is intended to prevent that person undermining security
> in some way.

I agree with this, and there are ways in which this can be useful ---
for example, using the relative strength from multiple access points
to seed a random number generator may be useful because the NSA
analyst sittiing in Fort Meade might not know whether the mobile phone
in your knapsack is sitting on top of the desk or below it, and this
would change the RSSI numbers that you might get.

However, I do worry about this a bit to the extent that sometimes
don't know what we don't know, or more importantly, we don't know what
the adversary might be able to find out.  For example if you read the
claims made by the CPU Jitter "True Random Number Generator", it
essentially (albeit perhaps slightly unfairly) boils down to "The
algorithms L1/L2 cache of an Intel CPU are horribly complex, and no
one can figure them out, so we can treat the timing results as true
randomness."

Well, maybe you and I can't figure them out, but maybe someone with a
more detailed understanding of the implementation details of the Intel
CPU could do a better tjob.

So while I think it is a useful engineering tool, and it's something
I've relied upon myself, to use it as a fundamental design principle
could be dangerous.

Cheers,

						- Ted

More information about the cryptography mailing list