[Cryptography] Entropy Needed for SSH Keys?

Kent Borg kentborg at borg.org
Tue May 24 10:05:16 EDT 2016 

On 05/23/2016 11:35 AM, Theodore Ts'o wrote:
> I agree with this, and there are ways in which this can be useful --- 
> for example, using the relative strength from multiple access points 
> to seed a random number generator may be useful because the NSA 
> analyst sittiing in Fort Meade might not know whether the mobile phone 
> in your knapsack is sitting on top of the desk or below it, and this 
> would change the RSSI numbers that you might get.

I like that. Not a lot of bits, but some.

> For example if you read the claims made by the CPU Jitter "True Random 
> Number Generator", it essentially (albeit perhaps slightly unfairly) 
> boils down to "The algorithms L1/L2 cache of an Intel CPU are horribly 
> complex, and no one can figure them out, so we can treat the timing 
> results as true randomness."

Assume there is no jitter. Just consider that the TSC is running at over 
2GHz.

For an observer to know what value the CPU will read, that observer will 
have to know not only how the CPU might jitter (and let's assume zero), 
but also the observer needs to know the state of the clock. Not just how 
many ticks have gone by (hard already), but exactly *where* the edge of 
those ticks are or an LSB value will slip by. The observer needs precise 
phase information.

Isn't this essentially an exercise in clean distribution of a crappy 
clock? That clock only exists over the space of a few millimeters--but 
enough span that the "correct" phase information starts out ambiguous.

Tracking a good clock is hard (the right answer is a win), tracking a 
crappy clock is harder (gotta know the specific wrong answer). GPS is 
designed to be as accurate as possible, yet its time distribution 
accuracy at best is nanoseconds. Frequency accuracy (an easier problem) 
is still only 10-times better via GPS. But an observer of my TSC needs 
to do still better, tracking a crappy clock, without my cooperation, 
from how far away?

Thought experiment: Best-case design a system that can precisely track 
phase of a 2GHz CPU clock over a distance of meters. A clock that is 
referenced to a crystal that is not temperature compensated, multiplied 
up by a PLL that is designed only to be good enough, and then 
intentionally made worse with a spread-spectrum smear varying the 
frequency. Spend millions if you have to, be big and bulky, but track 
that clock edge.

How confident are you that it can be done at all? And if it can be done, 
to a distance of how many meters?


Now do it covertly and cheaply.


-kb

More information about the cryptography mailing list