8

I'm using PuttyGen to generate ssh keys for various windows computers. It requires a lot of manual user input, specifically in the form of swirling the mouse around in the window pane. I understand this to be necessary because Windows either doesn't have a random number generator like Linux's /dev/random or PuttyGen doesn't have access to it. But this got me to thinking: is swirling the mouse around in a little area sufficiently random to generate a good SSH-RSA key? Should I rather generate them on a Linux machine and port them over to the windows machines via flash drive or something (security issues with key movement notwithstanding)?

mas
  • 307
  • 2
  • 9
  • 8
    Windows does have a good RNG, Puttygen just isn't using it. – Swashbuckler Feb 19 '19 at 22:01
  • 4
    @Swashbuckler: Windows have a closed source RNG. For some that automatically disqualifies it from being a good RNG. – Lie Ryan Feb 20 '19 at 01:36
  • @LieRyan: although the catastrophically bad RNG in the Debian 'weak-key' version of OpenSSL was not only enabled but mainly caused by being open-source. malan: if you want you can use (a port/build of) OpenSSL on Windows to generate OpenSSH-compatible privatekeys with no manual input, which puttygen can convert to PPK with only a few keystrokes plus the passwords. – dave_thompson_085 Feb 20 '19 at 04:43
  • 4
    @dave_thompson_085: The Debian OpenSSL fiasco was despite it being open source, rather than because of it. If similar thing happens in propriety software, it'll likely just never be discovered at all. Open source is a necessary, but not a sufficient condition for really secure system. – Lie Ryan Feb 20 '19 at 07:41
  • ur entropy will b so high if u use hires display, do it – user2497 Feb 21 '19 at 16:39
  • 1
    @user2497 So far as I can tell you can't increase the size of the window. That was the first thing I wanted to do. Lol. – mas Feb 21 '19 at 19:14
  • 1
    @LieRyan: if openssl had been delivered closed the Debian packager would never have seen the compiler diagnostic that led them to cause the bug, plus would have not been able to create the bug. I call that 'because'. (Of course Debian by policy wouldn't have used something closed in the first place.) There are lots of 'despite's, e.g. Heartbleed where the problem was created in the project but no one inside or outside detected it. Many vulns are found and fixed in closed source, some but not all before exploitation, so 'necessary' is demonstrably nonsense. 'helpful' probably. – dave_thompson_085 Feb 24 '19 at 23:55
  • ... although nowadays a _lot_ of vulns are found with automatic methods like ASAN and fuzzers, which don't depend on the source at all. – dave_thompson_085 Feb 25 '19 at 00:03

3 Answers3

8

is swirling the mouse around in a little area sufficiently random to generate a good SSH-RSA key?

Yes, it is. Nobody can predict how you move the mouse, and even if you are asked to copy a pattern, you won't be able to.

You don't need to generate the random code elsewhere IF you can be sure that you Windows computer is not infected with malware capable of intercepting the key generation. A fresh installed, disconnected Windows machine is secure enough.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
4

As of 2019, the answer appears to by simply "we don't know". It is probably fine, though.

This is how Puttygen generates keys:

[A] quick look at the Puttygen source code indicates that it seems to generates private keys solely based on mouse movements. It fills an array with the time of mouse movement events in the even cells and the mouse position in the odd cells, sprinkles some magic shuffling over it, and calls some RSA/DSA/EC* key generator with the array as argument.

In a search for evidence to support or refute the unpredictability of mouse movements, I found nothing. Nobody seems to have conducted any research on the topic.

For now, I would advise to use methods of which we are quite confident to be secure. Modern operating systems provide these (/dev/urandom on Linux and CryptGenRandom in Microsoft Windows), since the entropy has to be gathered from system sources. An individual program has much less opportunity to generate proper randomness, so software should use the system's source of randomness. Software like ssh-keygen does this.

Luc
  • 32,378
  • 8
  • 75
  • 137
  • I just realized I can use WSL's ssh-keygen. I don't even have to port it. – mas Feb 20 '19 at 13:20
  • Though now I'm wondering what WSL's /dev/random really is. – mas Feb 20 '19 at 13:23
  • @malan If someone made a virtual `/dev/(u)random` available in Windows, it's probably just a front-end for `CryptGenRandom`. But of course, if it's important to you, be sure to check the documentation! – Luc Feb 20 '19 at 13:27
2

This comes down to how much entropy is in mouse motion and how it is digested to give the key.

I found this post that discusses experiments with mouse movements. It used a smooth mouse motion sampled at irregular intervals that are of course rounded to a whole pixel. It showed that this leads to a Gaussian distribution of acceleration with a few bits of entropy per event. It estimated that a few seconds of movement would generate 128bits of entropy.

What is remarkable about the experiment in that post is that it is just based on smooth motion. PuttyGen has you waggle your mouse around. That will give some unpredictable values. If you had thousands of volunteers waggle a mouse and ran each trace through, say, SHA256, you wouldn't expect any predictability.

Another answer says that PuttyGen runs its mouse trace through a cryptographic key generator algorithm. We can expect that to make good use of the entropy in the trace. So it seems like a satisfactory approach.

Update It occurs to me that we are used to applications using /dev/urandom so it seems suspicious that PuttyGen uses mouse movements. Yet very few systems have hardware random number generators the standard mechanism for pseudo random numbers is to sample noise from device drivers then hash that. Given that sampling a smooth mouse movement generates noise, and a user waggling it gives unpredictability, PuttyGen is simply doing something equivalent of typical secure random number generators. Why? Either they don’t trust windows to do what Linux does, or they don’t trust windows to hide official random numbers from attackers, or they suspect attacker might be able to replace the official source with a predicable one. There are probably a huge number of cases where a user wouldn’t bother to help generate unobservable pseudo random numbers. So PuttyGen is a special case of a high paranoia scenario where the end user will invest time and effort to obtain a secure key.

simbo1905
  • 390
  • 2
  • 10