On 09/15/2013 10:19 AM, John Kelsey wrote:
But those are pretty critical things, especially (a). You need to know whether it is yet safe to generate your high-value keypair. For that, you don't need super precise entropy estimates, but you do need at least a good first cut entropy estimate--does this input string have 20 bits of entropy or 120 bits?

Yes, the time I was part of designing a physical RNG product (for use in real gambling, for real money) we made sure to not only sweep up all the entropy sources we could, and not only mixed in fixed information such as MAC addresses to further make different machines different, our manufacturing procedures included pre-seeding the stored pool with data from Linux computer that had a mouse and keyboard and lots of human input.

We did not try to do entropy accounting, but did worry about having enough.

We also were going way overboard on security thinking, far exceeding regulatory requirements for any jurisdiction we looked at. I don't know if it every shipped to a customer, but we got all the approvals necessary so it could have...

I do agree that, though a Linux box might make keys on its first boot, it should be used interactively first, and then generate keys.

Again Ubuntu (at least a "desktop" install) doesn't include sshd by default, you have to decide to install it, and at that point, if there is a human setting up things with a keyboard and mouse, there should be a lot of entropy. Ubuntu "server" installations might be different, and I would be very worried about automatic provisioning of server machines in bulk.


The cryptography mailing list

Reply via email to