Entropy and DSA key

Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
Wed Nov 7 04:39:35 EST 2001


On Tue, Nov 06, 2001 at 10:39:37AM -0600, Dave Dykstra wrote:
> On Tue, Nov 06, 2001 at 05:23:36PM +0100, Lutz Jaenicke wrote:
> > It does cause a delay until enough
> > entropy was gathered. Granted, it would allow for a cleaner implementation
> > than having the code built-in, but for understandable reasons collecting
> > entropy requires the effort to collect the entropy :-)
> 
> > Using a seed-save file helps, but somebody could steal it, so that calling
> > external gatherers at the time the cryptographic routines are started up
> > is an important issue.
> 
> I don't buy that argument.  If somebody has the ability to steal your
> seed-save file, that means your system has already been compromised so I
> don't see the point of trying to secure it further, certainly not at such a
> high cost of time spent on every ssh client startup.  I think the only
> thing to worry about is an external attacker.

With home directories on NFS protecting the seed file is difficult and
accessing the seed file does not necessarily require compromising the
system. The private keys are protected by a passphrase, so while I still
would not like people stealing the key files, there exists an additional
line of defense.

Best regards,
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153



More information about the openssh-unix-dev mailing list