Collecting additional entropy for static key generation

[DavisNT]

I think that allowing users to collect additional entropy (from keyboard) while generating static key files would lessen chances of any predictable PRNG output in static key files.

Is such feature welcome by OpenVPN developers?

I would like to create a Pull Request in GitHub that would introduce a new command line option for --genkey that would inside write_key_file() collect some amount of data from stdin and (using SHA) mix it with output of generate_key_random().

[maikcat]

collecting additional entropy f.e from mouse movement (like puttygen) i believe it does makes sense...

but,creating keys in linux, via ssh (cli), it doesnt seem to me that it will produce much additional entropy
by waiting for the user to press some keys....

just my opinion,

Michael

[DavisNT]

I think that level of entropy depends on what would the users type (e.g. "gghgjgjh" or string from their favorite password generator padded by an old password and some keystrokes). Also some key stretching could be added to make this input harder to guess.
Actually a better definition would be "additional processing of random data", instead of "additional entropy", because main goal of this would be providing additional layer of security in case there would be found any vulnerabilities in PRNG of SSL library.