On 09/15/2013 10:19 AM, John Kelsey wrote:
But those are pretty critical things, especially (a). You need to know
whether it is yet safe to generate your high-value keypair. For that,
you don't need super precise entropy estimates, but you do need at
least a good first cut entropy estimate--does this input string have
20 bits of entropy or 120 bits?
Yes, the time I was part of designing a physical RNG product (for use in
real gambling, for real money) we made sure to not only sweep up all the
entropy sources we could, and not only mixed in fixed information such
as MAC addresses to further make different machines different, our
manufacturing procedures included pre-seeding the stored pool with data
from Linux computer that had a mouse and keyboard and lots of human input.
We did not try to do entropy accounting, but did worry about having enough.
We also were going way overboard on security thinking, far exceeding
regulatory requirements for any jurisdiction we looked at. I don't know
if it every shipped to a customer, but we got all the approvals
necessary so it could have...
I do agree that, though a Linux box might make keys on its first boot,
it should be used interactively first, and then generate keys.
Again Ubuntu (at least a "desktop" install) doesn't include sshd by
default, you have to decide to install it, and at that point, if there
is a human setting up things with a keyboard and mouse, there should be
a lot of entropy. Ubuntu "server" installations might be different, and
I would be very worried about automatic provisioning of server machines
The cryptography mailing list