[147951] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (Glenn Willen)
Fri Nov 1 19:22:14 2013
X-Original-To: cryptography@metzdowd.com
From: Glenn Willen <gwillen@nerdnet.org>
In-Reply-To: <527412D2.7050707@av8n.com>
Date: Fri, 1 Nov 2013 16:06:46 -0700
To: John Denker <jsd@av8n.com>
Cc: Jerry Leichter <leichter@lrw.com>, Yaron Sheffer <yaronf.ietf@gmail.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
John Gilmore <gnu@toad.com>, David Mercer <radix42@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Nov 1, 2013, at 1:45 PM, John Denker wrote:
>
> Alas, that leaves important parts of the problem unsolved. We
> cannot "forget it" until we solve the whole problem.
>
> For example: SSH has to cut host keys when it is first used
> (if not before). This requires a lot of high-quality randomly-
> distributed bits. There are a gazillion scenarios where this
> has to happen /before/ the first DHCP happens. For example,
> I might need to "ssh root@localhost" in order to configure DHCP.
Perhaps we're going about this the wrong way. If the machine isn't on the network yet, then it doesn't really need a secure host key. Maybe if we need keys for the configuration process, such as ssh host keys, we should then throw them away and regenerate them (as a one-time process) after configuration is complete? That way the long-term keep-it-for-decades key doesn't have to be the same key we generated at the absolute least-entropy time in the machine's lifecycle.
Honestly, how much would it hurt to do the same thing in the general case? Let ssh generate a host key on first boot, then once the entropy pool fills, throw the key away and generate a new permanent key? There will be a short window during which _maybe possibly_ the key is slightly weak, but we wouldn't be using an all-zeroes key or anything during that time. And the permanent key will be a lot safer for longterm use.
Glenn
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography