[Cryptography] Entropy Needed for SSH Keys?
Kent Borg
kentborg at borg.org
Fri May 27 10:12:28 EDT 2016
On 05/25/2016 10:25 PM, Theodore Ts'o wrote:
> Right but what are you measuring that CPU clock against? In the
> absence of interrupts if you are running something in a tight loop,
> and then periodically sampling the TSC, then if there is no jitter,
> the only thing which is unknown is the starting offset of the TSC.
Sorry, I am talking about measuring against external interrupts.
I guess I am promoting that old trick of beating two clocks against each
other. But I am impressed that one clock (in the case of Intel chips) is
pretty special: it is running very fast, it is physically small (does
not even exist beyond a span of a few mm), it is designed to be only
mostly regular and not particularly stable. It drives a counter that can
be sampled in response to an interrupt. As a bonus, this interrupt
servicing is itself very complex--but I don't trust that either.
The other clock (interrupt) has to be much slower: The CPU is mostly for
doing other work and doesn't want to spend all its time servicing
interrupts, and it is physically incapable of servicing interrupts at
anything very close to its internal clock speed.
It also seems important here that the TSC is running fast. We aren't
talking lots of big fat nanoseconds here, we are interested in the
precise phase on a sub-nanosecond period. I don't think we have to pine
for sloppy mechanical stuff like keyboard and mouse activity, I think
any interrupt from any other subsystem will do--let's fudge it and say
"subsystem with its own crystal". Certainly anything so external as a
network interrupt is great.
Is there a term for how far a photon can travel in a clock period? Well,
whatever that might be called, if the physical distance of a second
clock is on-order that far away--inches in this case--it feels like the
problem changes. It seems there is real entropy in the analog aspects
inside the CPU and there are theoretical problems with how well that
could ever be communicated to a distance, and similar problems with how
well it could ever be correlated at a distance.
Or am I being overly impressed by how a fast 2GHz is?
-kb, the Kent who remembers kilocycles.
More information about the cryptography
mailing list