[147145] in cryptography@c2.net mail archive
Re: [Cryptography] real random numbers
daemon@ATHENA.MIT.EDU (Kent Borg)
Sun Sep 15 17:47:58 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 15 Sep 2013 13:35:57 -0400
From: Kent Borg <kentborg@borg.org>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <2BA9929D-5160-418A-9BE4-22F3CC316362@gmail.com>
Cc: "David I. Emery" <die@dieconsulting.com>,
Cryptography List <cryptography@metzdowd.com>, John Denker <jsd@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 09/15/2013 10:19 AM, John Kelsey wrote:
> But those are pretty critical things, especially (a). You need to know
> whether it is yet safe to generate your high-value keypair. For that,
> you don't need super precise entropy estimates, but you do need at
> least a good first cut entropy estimate--does this input string have
> 20 bits of entropy or 120 bits?
Yes, the time I was part of designing a physical RNG product (for use in
real gambling, for real money) we made sure to not only sweep up all the
entropy sources we could, and not only mixed in fixed information such
as MAC addresses to further make different machines different, our
manufacturing procedures included pre-seeding the stored pool with data
from Linux computer that had a mouse and keyboard and lots of human input.
We did not try to do entropy accounting, but did worry about having enough.
We also were going way overboard on security thinking, far exceeding
regulatory requirements for any jurisdiction we looked at. I don't know
if it every shipped to a customer, but we got all the approvals
necessary so it could have...
I do agree that, though a Linux box might make keys on its first boot,
it should be used interactively first, and then generate keys.
Again Ubuntu (at least a "desktop" install) doesn't include sshd by
default, you have to decide to install it, and at that point, if there
is a human setting up things with a keyboard and mouse, there should be
a lot of entropy. Ubuntu "server" installations might be different, and
I would be very worried about automatic provisioning of server machines
in bulk.
-kb
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography