Entropy and DSA key
Lutz Jaenicke
Lutz.Jaenicke at aet.TU-Cottbus.DE
Wed Nov 7 04:39:35 EST 2001
On Tue, Nov 06, 2001 at 10:39:37AM -0600, Dave Dykstra wrote:
> On Tue, Nov 06, 2001 at 05:23:36PM +0100, Lutz Jaenicke wrote:
> > It does cause a delay until enough
> > entropy was gathered. Granted, it would allow for a cleaner implementation
> > than having the code built-in, but for understandable reasons collecting
> > entropy requires the effort to collect the entropy :-)
>
> > Using a seed-save file helps, but somebody could steal it, so that calling
> > external gatherers at the time the cryptographic routines are started up
> > is an important issue.
>
> I don't buy that argument. If somebody has the ability to steal your
> seed-save file, that means your system has already been compromised so I
> don't see the point of trying to secure it further, certainly not at such a
> high cost of time spent on every ssh client startup. I think the only
> thing to worry about is an external attacker.
With home directories on NFS protecting the seed file is difficult and
accessing the seed file does not necessarily require compromising the
system. The private keys are protected by a passphrase, so while I still
would not like people stealing the key files, there exists an additional
line of defense.
Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
More information about the openssh-unix-dev
mailing list