Loophole in Windows Random Number Generator

Invisible Pink Unicorn writes "A security loophole in the pseudo-random number generator used by Windows was recently detailed in a paper presented by researchers at the University of Haifa. The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication. Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness. Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

31784

[FooAtWFU]

129775, 80123133, 5580012. 6740091, 6558, 42!

Re:31784

[Spokehedz]

All I get on mine is '8675309'

Damn you Johnny Two-Tone!

Re:31784

[jejones]

RANDU! Save us, RANDU!

Oh, wait, that was Landru.

Re:31784

Loophole in Windows RNG.
Is it because Windows doesn't complete a whole loop when generating the random number?

Re:31784

[l1gunman]

I'm surprised nobody posted this one yet:

As John von Neumann joked, "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."

Re:31784

[LoyalOpposition]

I believe it was Knuth who said that.

Re:31784

[CrazedWalrus]

129775, 80123133, 5580012. 6740091, 6558, 42?

Sounds like the combination an idiot would have on his luggage!

Re:31784

[l1gunman]

Every reference to that quote I've ever read attributes it to Von Neumann. (But it's spot on, regardless.)

Re:31784

[bulliver]

Damn you Johnny Two-Tone!

Johnny? Surely you mean Tommy

Re:31784

[xenocide2]

The first entry on wikiquote for Neumann:

On mistaking pseudorandom number generators for being truly "random" -- this quote is often erroneously interpreted to mean that von Neumann was against the use of pseudorandom numbers, when in reality he was cautioning about misunderstanding their true nature while advocating their use. From "Various techniques used in connection with random digits" by John von Neumann in Monte Carlo Method (1951) edited by A.S. Householder, G.E. Forsythe, and H.H. Germond Sounds pretty reasonable, or a very long lasting urban legend...

Re:31784

Yep, my XP machines are perfectly capable of bluescreening randomly...

Re:31784

[Tolkien]

Nine Nine Nine Nine Nine Nine...

Re:31784

[KnuthKonrad]

No, not that I'm aware of ... ;-)

Hardware RNG

[CRCulver]

I assume this is only a problem for those whose motherboard doesn't have a hardware random-number generator?

Re:Hardware RNG

[$RANDOMLUSER]

Now why would you assume Microsoft would use the hardware RNG when they have thier own, much better, proprietary RNG available?

Re:Hardware RNG

[thePsychologist]

It might only be a problem for 2000 users:

According to the researchers, who have already notified the Microsoft security response team about their discovery, although they only checked "Windows 2000" (which is currently the third most popular operating system in use) they assume that newer versions of "Windows", XP and Vista, use similar random number generators and may also be vulnerable.

Re:Hardware RNG

[defnoz]

Now why would you assume Microsoft would use the hardware RNG when they have thier own, much better, proprietary RNG available?
After all, they spent so much time perfecting it in Excel 2007!

Re:Hardware RNG

[dlenmn]

I recall that the Pentium III has a hardware random number generator built in (http://www.techweb.com/wire/story/TWB19990120S0017), but I wasn't aware that motherboards have them (in the chipset? Where would they be?). Do newer man newer CPUs have them as well, or did they give up on them (along with the serial numbers in the PIIIs)?

Re:Hardware RNG

[thePsychologist]

This is classic behaviour on Slashdot. I point out this might not be a big of a problem as it seems (as they only tested Windows 2000, and not XP or Vista, both combined are far more used than 2000), and I'm modded as troll, only because (I presume) that I'm providing evidence that a problem with Microsoft isn't as serious as it seems (i.e. I'm getting in the way of MS bashing).

Re:Hardware RNG

[somersault]

Yeah because every time Windows is updated, it's a really high priority to write a new random number generator? XP is based off of 2000 even if Vista was meant to be a rewrite.

"Hey guys, I dont think the random number generator is random enough today - it came up with 2 prime numbers in a row! Anyone feel like taking a few days to rewrite it, test it, introduce a few bugs, document it, seal off the documentation to make sure nobody finds it, and go take it up to Steve? I hear he's out of chairs right now so it should be okay".

Re:Hardware RNG

[larry+bagina]

intel's fpu is a random number generator (unintentionally).

Re:Hardware RNG

[Tim+Browse]

Unfortunately, some people might believe that's really how it happens. Cryptographically secure RNGs are a widely known issue in the field (hell, even I know about it, and I'm not in the field), and you can be sure that the Crypto programmers at MS are at least aware of the issue. It wouldn't surprise me, at any rate, if implementing a new RNG had been considered a priority for XP or Vista if they had discovered the existing one to be vulnerable.

If they had time in between cocking up all the WGA stuff, that is.

Re:Hardware RNG

[Goaway]

What is this, "proof by sarcasm"?

Re:Hardware RNG

[operagost]

I recently discovered that Windows is not Y2K compliant! Although I only checked Windows 3.1, I assume that newer versions of Windows, 2000, XP, and Vista, use similar 2-digit dates and may also be vulnerable.

Re:Hardware RNG

[operagost]

What is this, 1997? They had an FPU bug in the Pentium 60-90 MHz processors. I guess you still make jokes about exploding Pintos and wheelbarrows full of Weimar Deutchmarks, too.

Re:Hardware RNG

[Belial6]

You actually didn't provide any evidence that the problem doesn't affect XP or Vista, you just suggested that the two newer version should be trusted immediately after finding out that 2000 has a bug in an unlikely to be updated part of the system. The non-troll way of highlighting this information would be:

That is a problem. I am eagerly awaiting the tests of XP and Vista to see if this was fixed for them.

You could probably even slip a little bias in there without being called a troll with:

They are going to test with XP and Vista aren't they? After all, it should be trivial to test this on the newer systems if the cryptography hasn't been changed. I mean what kind of security researcher just assumes the functionality of a security system?

Of course, it would be a little silly to assume that this does not affect at least XP, as 2000 was still under maintenance when XP was released, so if the bug was found during the development of XP, it should have been fixed in 2000. It would look far worse for Microsoft if they KNEW about a security hole in 2000 while it was still under maintanace, and did not bother to back port the fix from XP.

Re:Hardware RNG

[Schraegstrichpunkt]

No. Read the paper, which states, inter alia (yes, I just learned that phrase this week):

We analyze the way in which the operating system uses the WRNG and note that a different copy of the WRNG is run, in user-mode, for every process, and that typical invocations of the WRNG are seldom refreshed with additional entropy. Therefore, the backward and forward security attacks, which only work while there is no entropy based rekeying, are highly effective. Furthermore, we also found that part of the state of the generator is initialized with values that are rather predictable.

Re:Hardware RNG

[lgw]

Windows RNG collects "entropy" (that is, non-pseudo-randomness) from many sources, including drive timing, network timing, keyboard and mouse timing, temperature information, etc. However, there are only so many "really random" bits per second available.

Any good RNG combines sources of entropy with a cryptographically secure PRNG. The researchers are attacking the PRNG portion of the Windows RNG. If you only generate keys (or other random numbers) infrequently, this is a non-issue, as the hardware sources of entropy provide enough "really random" bits to generate a "really random" number.

However, if you generate a fast series of keys (or other random numbers), you quickly use up all of the "really random" bits that the RNG has cached, and you only have the PRNG on your side, and therefor the key is merely "pseudo random". TFA is an attack on the "psuedo random" portion of the Windows RNG.

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This is a cool idea for a crypto library, but not usable for a general-purpose RNG, which suggests that the system libraries should probably provide *two* RNGs.

Re:Hardware RNG

[MrAnnoyanceToYou]

This is the Internet. Proof by sarcasm is the most defensible kind.

Re:Hardware RNG

[Bert64]

A new RNG is not really a selling point, the only way it will help their bottom line is if enough people know about flaws in the old one that it's profitable to replace it.
Look at it from a business perspective, microsoft will.

Re:Hardware RNG

[EsbenMoseHansen]

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This is a cool idea for a crypto library, but not usable for a general-purpose RNG, which suggests that the system libraries should probably provide *two* RNGs. Brilliant idea! Let's call one of them /dev/urandom and the other one /dev/random. ;)

Re:Hardware RNG

[somersault]

I prefer to call it Sarca'm's Razor

Re:Hardware RNG

[Bert64]

It's fairly common for fixes not to be back ported...
Microsoft don't want to admit a problem exists unless they have to... A lot of issues got fixed in vista which never went public as vulnerabilities.
When a patch is released, blackhats will reverse engineer it to find out what was patched and write exploits, since many people won't install the patches. This is made worse if it's a silent patch where it was never disclosed what was being patched (often several patches will be bundled together but not all of them will be admitted to.
It's much harder to do the same with vista, because so much other stuff has been changed and/or recompiled with a newer compiler etc. Very few of the binaries are the same.

Re:Hardware RNG

[Shados]

Maybe not XP, but Windows Server 2003 (and Vista, since its based on it), definately.

Windows Server 2003 compared to 2000, security wise, is like 2000 compared to ME...

Re:Hardware RNG

It is important to note that Windows 2000 was written prior to the export laws on cryptography being relaxed. This is why, by default, Windows 2000 could only use 40-bit SSL encryption. You had to install a separate cryptography pack available only to certain countries in order to expand the cryptography system.

Windows XP was the first to fully integrate high bit CSP and there has been a bit of work between XP and 2003 on cryptography as well. So to claim that because 2000 is vulnerable that XP, 2003 and Vista must be vulnerable is very premature.

Re:Hardware RNG

[Bert64]

Funny you should mention that, windows has a really kludgy way of handling dates beyond 2000... It basically still uses a 2 digit date, and defines an arbitrary split point, eg:
Dates below 70 are considered in the year 2000, over 70 are considered in the 1900s.

Excel also has some stupid bugs to do with dates, which microsoft are now trying to enshrine in the ooxml format.

Re:Hardware RNG

[mrsteveman1]

Thats true, and if you have a newer version of that RNG available in a newer version of Windows, right around the time that vulnerability is disclosed, you are able to influence purchasing decisions to your advantage.

Re:Hardware RNG

[mashade]

Brilliant idea! Let's call one of them /dev/urandom and the other one /dev/random.

/dev/urandom is the PRNG while /dev/random is the true RNG. In other worse, exactly the same as on Windows, save for device names.

http://en.wikipedia.org/wiki/Urandom

Re:Hardware RNG

[Brian+Gordon]

Wait, why is virtualpc.exe running? Let's see- a Pentium running Windows 95 with Calculator open.. oh, it's just generating a random key for my SSL connection.

Re:Hardware RNG

I smell an excellent Slashdot car analogy coming soon to a post near you.

Re:Hardware RNG

[Smidge204]

You're right. All those ads about it being "More secure" would be for naught if they actually... oh wait.

That said, I use 2K exclusively and suggest it highly to everyone who asks... so I'll be keeping an eye out for a hotfix (that will, sadly, take forever if it comes out at all)
=Smidge=

Re:Hardware RNG

[yahooadam]

"You actually didn't provide any evidence that the problem doesn't affect XP or Vista"
On that note, the article didn't provide any evidence that it DID affect XP/Vista

By this/your/some reasoning, i could argue that bugs in GCC3 affect GCC4

Re:Hardware RNG

[webview]

Yeah because every time Windows is updated, it's a really high priority to write a new random number generator?

In Microsoft's case, yes. They just want to be sure that numbers generated with their previous versions won't be generated again.

Re:Hardware RNG

[lgw]

If there's a Windows equivalent of the modern (blocking) /dev/random, I don't know what the call is. I'd love to learn, however. I wonder whether the TrueCrypt folks rolled their own for the Windows implementation.

Re:Hardware RNG

[trifish]

Who were the idiots who modded that as flamebait and troll? I'm going to take care of you when I have meta-mod points. Hopefully, you won't moderate again.

Re:Hardware RNG

[ppc_digger]

Actually, Windows NT uses UNIX timestamps internally. I haven't read any formal documentation regarding this, but if you look in the registry, at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate you'll see a dword containing a standard UNIX timestamp.

Re:Hardware RNG

[lgw]

Sorry, forgot the tag there. I don't think Windows has figured this out yet, (though I might just be unaware of some Windows library call).

Of course, the Linux /dev/random also has weaknesses, but not ones so embarassing as this.

Re:Hardware RNG

Uhm... duh?!

Re:Hardware RNG

[ewanm89]

00:00 01/01/1970 being the UNIX epoch???

Re:Hardware RNG

Then what if you want to install it in february 2038?

Re:Hardware RNG

[thebdj]

A new RNG is not really a selling point, the only way it will help their bottom line is if enough people know about flaws in the old one that it's profitable to replace it. Actually it can be, since it would be necessary to use a FIPS compliant PRNG to perform certain operations, they would need to have one. I suspect (see my other posts) that this is from a deprecated cryptographic service provider that MS no longer providers (DSS_BASE). If you check out the information on the CMVP website for the RNG Validation Lists, you will see they implement FIPS 186-2 PRNGs, which the paper itself admits (Appendix B) has some forward security and is not the PRNG they are attacking here.

Re:Hardware RNG

[yukk]

What makes you think that MS has "Crypto programmers" ? I'm sure that part of development went something like this.
Okay, module 14537r Random Number Generator. Teams, who wants do do this ? No, it's not boring. Come on. Okay, draw straws. Jones, you win. Yes, sure you can get the intern to write it. You carry on with the Clippy enhancements.

Re:Hardware RNG

[SirCodeAlot]

Actually since a new rng is one of the big features for VC++ due out at the end of the month. WHos to say they didn't realize it in their OS as well?

Re:Hardware RNG

(P)RNGs are *crucial* to any cryptographic operation that draws it's entropy from it. Since it is such a basic functionality and so important to security, it is critical to do this right. The DNS cache poisoning attack http://www.securiteam.com/securitynews/5VP0L0UM0A.html is all about bad implementation of PRNG.

The big problem that I see is, that it seems that Microsoft did not give the correct implementation of PRNG the importance it should have.

Re:Hardware RNG

[larry+bagina]

Sorry. In soviet russia, beowulf cluster of intel fpus imagine you running linux!

Re:Hardware RNG

[Lord+Ender]

1) Post a comment that is obviously not a troll.
2) Log in with your other account and mod yourself "-1 Troll."
3) Log back in and post a complaint about the oppressive moderation system.
4) Watch as both of your comments get modded to +5.
5) ???
6) Karma += 8

or another way to look at it...

Axiom: Any sufficiently large number of people will contain some number of idiots.
Proposition: The slashdot moderator pool contains a sufficiently large number of people.
Conclusion: This is normal and expected--stop whining and man up, Nancy!

Re:Hardware RNG

[EsbenMoseHansen]

Brilliant idea! Let's call one of them /dev/urandom and the other one /dev/random.

/dev/urandom is the PRNG while /dev/random is the true RNG. In other worse, exactly the same as on Windows, save for device names.

http://en.wikipedia.org/wiki/Urandom Well, I knew that, and most linux folks do, but thank you for telling anyway. However, if the guy I replied to is correct, the windows /dev/random does not block if insufficient entropy is available. The only windows I use are the ones used to keep the heat in, though, so I wouldn't know personally.

Re:Hardware RNG

Did you try the patch? My Win 3.1 is Y2K compliant.

Re:Hardware RNG

And why exactly is hardware to be trusted?

Re:Hardware RNG

Windows NT uses several formats: SYSTEMTIME (field separated structure), FILETIME (64-bit NTFS time timestamps), 64-bit posix-like timestamps, etc., all of which are fine *far* beyond the 2048 32-bit Posix boundary. Just because the value you found doesn't have leading zeros doesn't mean it is processed as smaller than 64-bits.

Maybe you should read some formal documentation before posting.

sigh

Re:Hardware RNG

[nschubach]

Normally bugs don't get fixed unless they break. If you work in the software industry you know this. Once the code is out there (and XP is from most accounts, the same kernel as 2K) nobody ever goes back to "double check verify" that it's actually the right way to do it.

It's a logical guess at this point, but there was no call to update the RNG because nobody complained about it until now.

Re:Hardware RNG

[GrievousMistake]

Sure, why not? They do seem to find the time to update whatever RNG they use in the MS Word layout engine between versions.

Re:Hardware RNG

[Burz]

Don't know about Windows' implementation, but the PRNG's I'm familiar with do not use up all of the cached entropy in one gulp. The entropy is used as seed values for the psuedo-random algorithm, giving you more "random" bits then you started with.

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This isn't how TC behaves on Linux at all, and I would doubt that description anyway. Generating new keys as files are written? I don't think so.

Re:Hardware RNG

There, feel better now, el squeako wheelo?

Re:Hardware RNG

[kc2keo]

I originally read your comment as: "I assume this is only a problem for those whose mothership doesn't have a hardware random-number generator?"

Re:Hardware RNG

Lol, is Slashdot moderated by the Chinese now? Any incovenient truth seems to be modded flamebait or troll.

Re:Hardware RNG

[plague3106]

You're assuming they didn't create another algorithm. Its entirely possible they did. We don't know; so making an assumption either way is pretty foolish. All that is certain is that 2000 is affected, and people concerned should act only on that fact.

Re:Hardware RNG

[plague3106]

Of course you realize this only applies to dates where only two digits are specified, such as a CSV file, older Excel sheets, etc.

Re:Hardware RNG

[nschubach]

Look at it this way though. If you assume that XP is all fine and dandy, your leaving yourself open for someone to try. When dealing with security, it's best to assume the worse scenario. If you think nobody will try to use it, your asking to be infiltrated. If I were in the security field, I'd put a big red warning on it and at least investigate it.

Re:Hardware RNG

[Belial6]

I do work in the software industry. I'm not complaining that there is a bug. I understand that you don't do a lot of review of existing code that has already left quality control. I am just pointing out why it is very likely that if the bug is in 2000, it is also very likely in XP. The reason is that I, and every responsible developer I know (when management allows), when faced with a security bug in code that is used across multiple products, will go and make the fix in all affected products.

Re:Hardware RNG

[ArsonSmith]

And they very well could.

Re:Hardware RNG

[plague3106]

Well, others here have claimed that the number gen was rewritten for Xp and Vista. I never said it shouldn't be checked out on those systems.

So, what do you suggest to protect against this potential threat that already isn't in place? How much will it cost in time / money? Will that investment be worthwhile if the investigation proves XP and Vista AREN'T affected?

Its not as simple as you make it out to be.

Re:Hardware RNG

[XavidX]

Very true. I mean if something does its job perfectly well why change it. Its like recreating the wheel.

Of course perhaps now it has some reason to change

Re:Hardware RNG

[d34thm0nk3y]

Dictionary.com Unabridged (v 1.1) - Cite This Source - Share This
might /mat/ Pronunciation Key - Show Spelled Pronunciation[mahyt] Pronunciation Key - Show IPA Pronunciation
-auxiliary verb
1. pt. of may1.
2. (used to express possibility): They might be at the station.

Re:Hardware RNG

[Mister+Whirly]

Didn't seem to work for you so well though, did it?

Re:Hardware RNG

[MrNiceguy_KS]

This being Microsoft, they'll just put chrome rims with shiny spinning bits on the existing wheels...

which are square.

Re:Hardware RNG

[Mister+Whirly]

I rear-ended my Pinto with a wheelbarrow full of Weimar Deutchmarks and it exploded you insensitive clod!

Re:Hardware RNG

[Lord+Ender]

Are you kidding? I've been at the karma cap since before it existed. I remember the dramatic exodus of sig11. I don't give a crap about karma, anymore. Mod me down.

Re:Hardware RNG

[Mister+Whirly]

Heh, I don't give a crap about karma period. In real life or Slashdot, both are about equally useful as plausible.

Re:Hardware RNG

[Keith_Beef]

Like a strong Brownian motion producer (say, a cup of hot tea)?

Beef.

Re:Hardware RNG

It might only be a problem for 2000 users Only 2000 users, eh?

I think there are more Amiga users online than that, so can't be much of a security issue. :P

Re:Hardware RNG

[Sam+Ritchie]

you can be sure that the Crypto programmers at MS are at least aware of the issue

Yes, for instance, you'd think they would instruct .NET developers to use System.Security.Cryptography.RNGCryptoServiceProvider instead of System.Random, in their .NET secure coding practices.

It's a shame other coding teams at Microsoft evidently don't follow their advice.

Re:Hardware RNG

[DamnStupidElf]

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This is a cool idea for a crypto library, but not usable for a general-purpose RNG, which suggests that the system libraries should probably provide *two* RNGs.

Older versions of truecrypt used CBC with IVs generated directly from the sector number, without sector-specific keys or IVs. Newer versions use LRW which also does not use sector specific keys and derives the IV from the sector number in a secure fashion. The entire volume is encrypted with a single key (or two with LRW, and only if you're not cascading ciphers), so I would look elsewhere for your performance issue. It may just be Windows sucking at creating new files, since the file-system layer is independent of TrueCrypt and just uses it as a raw device.

Re:Hardware RNG

[drsmithy]

[...] (and XP is from most accounts, the same kernel as 2K) [...]

You shouldn't rely on Slashdot for technical information about Windows.

Re:Hardware RNG

[Kalriath]

Correction there, Vista is not based on Server 2003. Vista is based on Server 2008. XP is based on Server 2003.

Re:Hardware RNG

[Kalriath]

Well, Slashdot still makes jokes about Ballmer and chairs, so yes, those jokes are probably still used.

Re:Hardware RNG

[Shados]

Originaly, the version of Vista that was to come out a long time ago (2003-2004 or something like that) was based on Windows XP's codebase, but as development lagged, they almost completly scrapped it and started over using Server 2003 as a base. From that enhanced Windows Server 2003, they built 2008. So while not quite correct, it would be closer to say Windows Server 2008 is based on Vista, not the other way around (since as I said, Vista was built on top, based on, the Server 2003 code).

Re: Hardware RNG

[Dolda2000]

Did you actually read the Wikipedia article you linked to? It says the following about /dev/urandom:

A counterpart to /dev/random is /dev/urandom ("unlimited" random source) which reuses the internal pool to produce more pseudo-random bits. This means that the call will not block, but the output may contain less entropy than the corresponding read from /dev/random.

Indeed, it is a PRNG, but it uses ("reuses") the actual entropy pool to seed the algorithm. In other words, it is still random, only less so than /dev/random, if entropy is not generated fast enough. Indeed, the quote explicitly says that it "may contain less entropy" (emphasis mine).

In other words, random and urandom are exactly what the GGP suggested: one actually secure, where every bit is guaranteed a certain amount of entropy, and one less secure, where entropy is compromised for speed.

Re: Hardware RNG

[mashade]

Yes, I read it. It's still a PRNG though, and it's still the same way Linux and Windows do it. I'm not being contrary.

Re:Hardware RNG

[ichigo+2.0]

After all, in 1985 plutonium should be available in every corner drugstore.

The plutonium was not bought from a drugstore, it was stolen from Libyan terrorists. Your geek card is hereby revoked. Have a nice day.

Re:Hardware RNG

[Calinous]

I don't really follow Microsoft's updates. However, from what I remember, many of them (if not most of them) affects Windows 2000, XP and 2003.
      While Vista might be free from this problem, I'd bet my money on XP having it.

Re:Hardware RNG

[woolio]

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This is a cool idea for a crypto library, but not usable for a general-purpose RNG, which suggests that the system libraries should probably provide *two* RNGs.

Lol. Linux has /dev/urandom and /dev/random. (second is blocking). I've been bitten on some headless systems where there was not enough entropy to prevent the thing from blocking. (This is an isuse that probably has been fixed by now either in the kernel, or perhaps some distos use /dev/urandom).

Re:Hardware RNG

As opposed to the linux method, which isn't at all kludgy, but will break anyway in 2034 ... at least windows gave us another 36 years before it happens :-(

Re:Hardware RNG

[lgw]

IVs don't really need to be random or secret, just different, so that makes sense. But I thought TrueCrypt generated per-file symmetric keys? Maybe I'm confusing this with Windows encryption.

The performance difference between the same large-number-of-files action with and without TrueCrypt is striking, and both the drive and CPU are mostly idle when TrueCrypt is crawling, just the behavior you'd expect if it were blocking on "entropy". It's bad enough that I limit my use of TrueCrypt to financial and personal documents.

Of course, it could always be some wierd hardware issue on my box, I haven't played with TrueCrypt professionally.

Re:Hardware RNG

[SamMichaels]

I was referencing the line when 1955 Doc says that plutonium should be available in every corner drugstore.

Dr. Emmett Brown: I'm sure in 1985 plutonium is available at every corner drugstore, but in 1955 it's a little hard to come by.

Read: http://imdb.com/title/tt0088763/quotes

You fail. Have a nice day.

Re:Hardware RNG

[ichigo+2.0]

Oh snap.

Yer killin' me

[$RANDOMLUSER]

They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness.

AHAHAHAHAHA
snort. please. stop.
HA HA HA HA HA HA HA HA
No. Really. It hurts.
AHAHAHAHAHAHAHA goomph.

Re:Yer killin' me

[ackthpt]

Seriously. It's a one two comedy punch. If they can't do a secure random number generator, that calls into question the whole damn operating system.

Perhaps it was the Randumb generator they included.

Seed time

[EaglemanBSA]

How accurate would they have to be with predicting the generator seed times for the keys to work? Would that be a hitch? I'm not an expert in the field, so I honestly don't know.

Re:Seed time

[EaglemanBSA]

Looks like if you can use their method to find the current state fast enough, windows doesn't do a great job of reseeding very quickly: I read through the PDF and found this comparison of the LRNG to WRNG (p. 18) - "Reseeding timeout. The LRNG is feeding the state with system based entropy in every iteration and whenever system events happen, while the WRNG is reseeding its state only after generating 128 KBytes of output. Synchronization. The collection of entropy in the LRNG is asynchronous: whenever there is an entropy event the data is accumulated in the state of the generator. In the WRNG the entropy is collected only for a short period of time before the state is reseeded. In the long period between reseedings there is no entropy collection. Security implication: The impact of the previous four properties is that forward and backward security attacks are more severe when applied to the WRNG. The attacks are more e±cient by twelve orders of magnitude. They reveal the outputs of the generator between consecutive reseedings, and these reseedings are much more rare in the case of the WRNG. In some cases, reseeding the LRNG happens every few seconds, while the WRNG is reseeded every few days, if it is reseeded at all."

Re:Seed time

[Tacvek]

What Linux RNG are they talking about? My understanding is that the output of /dev/random is fully random under the condition that the kernel has not overestimated the entropy of any of the inputs, and the mixing function works properly.

Re:Seed time

[KDR_11k]

In short: You're doing it WRNG!

Re:Seed time

[Schraegstrichpunkt]

If somebody reads your RNG state today via /dev/kmem, you don't want them to know what its output was an hour ago, or what it will be in an hour.

Huh?

[mrseigen]

Maybe it's just me, but I didn't think anyone would be stupid enough to use rand for SSL like the article is implying.

From what I can see, this is an old article anyway.

Re:Huh?

[Hatta]

No, but they might use it for encrypting windows passwords.

Re:Huh?

[mrseigen]

Whoops -- it's not rand, it's CryptGenRandom.

Re:Huh?

[Mantaar]

From TFA:

Date: received 4 Nov 2007

Old indeed. 8 days. That's a lot, Microsoft might have already fixed it, you see, they fix things fast!

Re:Huh?

[morgan_greywolf]

Y4h!! rand() i5 st00p1d!!! my pwn3d SSL add5 up a77 t3h numb3rz in t3h d4t3st4mp!!!

Re:Huh?

[plague3106]

Honestly they could have already; they ASSUME the same fault is in XP and higher. Not a great assumption.

Re:Huh?

[InvisblePinkUnicorn]

Considering that Windows 2000 is still used by at about as many people as use Vista, I don't think it matters whether they've fixed it in XP or not. They've still got to answer to all the 2000 users.

Re:Huh?

[plague3106]

No they don't; they EOLed Windows 2000 a while ago, IIRC.

Re:Huh?

[Bert64]

It wouldn't matter, windows passwords are encrypted with 2 rather poor algorithms (yes, the weaker of the two is kept for legacy reasons but can be turned off, but its still stupid to have 2 at all). I don't think they use any random entropy, not even a salt...

Re:Huh?

[InvisblePinkUnicorn]

It's a security flaw that they built into their software. I doubt that the EOL argument would hold any water in a high profile lawsuit.

Re:Huh?

It wouldn't matter, windows passwords are encrypted with 2 rather poor algorithms (yes, the weaker of the two is kept for legacy reasons but can be turned off, but its still stupid to have 2 at all). I don't think they use any random entropy, not even a salt...

The reason MS has 2 is simple, the first one poorly thought out and they have no "standard" interface. The second one isn't much different. Look for a 3rd one in the next release.

Re:Huh?

[plague3106]

You act as it its intentional. Its not.

Your mention of a lawsuit is just absurd. Nice try at a strawman though.

Re:Huh?

[PitaBred]

You get high enough levels of incompetence, and it doesn't matter if it's intentional or not. It's still their fault.

Re:loophole in corepirate nazi hypenosys

[kurt555gs]

WTF? does this mean that in Vista you just pray for a random number?

Where's the white noise generator?

[tjstork]

I am still at a loss to wonder why a PC does not have a white noise generator built into it yet. Even the best random number algorithms are pseudo random, so blasting Microsoft for their algorithm is a little like blasting the kid for not carrying enough of a bucket when the dam is the thing that broke.

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.

Re:Where's the white noise generator?

[CRCulver]

If you want to pay a little more than what bargain-basement PCs cost, many common chipsets already have a nice hardware RNG and have for years now.

Re:Where's the white noise generator?

[palladiate]

No, Intel no longer provides a hardware RNG on most chipsets. The last is the i810.

Some AMD64 chipsets still do though. You generally don't find hardware RNG on any chipset below the "Major Enterprise Purchase" mark.

Which could be bettered, easily.

Re:Where's the white noise generator?

[OrangeCowHide]

A white noise generator? Bah... What systems need are pop-o-matic bubbles with m * 2^n sided dice to generate m * n bits. It could even put a window up saying, "The entropy pool is depleted. Please press the pop-o-matic bubble to generate more."

That would be awesome

Re:Where's the white noise generator?

[pesc]

Like the VIA C3 processor?

Re:Where's the white noise generator?

[palladiate]

The Commodore had one too, on the sound chip. The old P3 i810 and VIA C3 chipsets had RNGs built in. They relied on thermal noise. Some AMD chipsets still have it. But for the most part, no modern motherboard comes integrated with a hardware RNG.

Re:Where's the white noise generator?

[CarpetShark]

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.

How do these work? Electromagnetics? Background radiation? Quantum unknowns? Even without being a physicist, I can imagine flaws in systems based on most of these.

Re:Where's the white noise generator?

[cheese_wallet]

They use thermal noise.

http://en.wikipedia.org/wiki/Thermal_noise

Re:Where's the white noise generator?

[Ephemeriis]

I know that there are plenty of machines out there that come with hardware RNG at reasonable prices... But is that even necessary?

I've seen software that tracks mouse movements for a while when generating random numbers, couldn't something similar be done through the OS itself? Couldn't you use mouse movement, keyboard input, sound and video output, etc. as your RNG? Wouldn't that be almost as good as a truly random number generator?

Or is there some obvious flaw in such a scheme which keeps it from being used?

Re:Where's the white noise generator?

[ConceptJunkie]

Perhaps you could pour hot tea into it instead.

Re:Where's the white noise generator?

[mkendall]

How do these work? Electromagnetics? Background radiation? Quantum unknowns?

Shot noise in diodes under reverse breakdown is a typical way to generate noise.

Re:Where's the white noise generator?

[Darkforge]

Mouse movements and keystroke latency are OK for consumer grade encryption keys (though, note that they are normally just a seed for a pseudo-randomizer) you can't really use them on headless servers, which is where most of the important (i.e. high financial value) encryption takes place.

Re:Where's the white noise generator?

[xZgf6xHx2uhoAj9D]

That's exactly the approach Linux uses with /dev/random (not to be confused with /dev/urandom): the kernel uses the timings between I/O interrupts (key strokes, hard drive seeks, etc.) to build up entropy. I'm no expert on the matter, but I believe people when they say it's good enough for crypto.

So far as I can tell, the only benefit over a thermal noise source over that scheme is that thermal noise gives you a pretty good and constant supply. If you're hitting /dev/random often, it's not hard to get it to block while it waits for more entropy.

Re:Where's the white noise generator?

[mixmatch]

White noise RNGs aren't perfect. In some environments, white noise can be predicted/replicated. Consider the average server room, which produce the rather constant sound of small fans going at high RMPs. For more detailed information on RNG predictability and other exploits on digital communication, I recommend "Silence on the Wire" by Michal Zalewski.

Re:Where's the white noise generator?

[Schraegstrichpunkt]

Be careful. Lots of "white noise generators" are just pseudorandom generators with small state registers.

Re:Where's the white noise generator?

[roystgnr]

Or is there some obvious flaw in such a scheme which keeps it from being used?

The only catch is that many applications want lots of random numbers quickly, whereas others want them truly unpredictable for cryptographic security and can wait as long as that takes. You want to try to make both types of apps happy. In Linux, for example, /dev/random tries to predict event timings from mouse/keyboard/hard drives, and gets its random numbers from the deviations from predictability. However, it doesn't "save up" any random numbers, just generates them as requested, so this may be a reasonable thing to do for generating encryption keys (as long as the keygen prompts the user to wiggle the mouse a little) but it's not fast enough for random numbers in video games or numerical simulations. For that, there's pseudo-random number generators in the C library, as well as a /dev/urandom that starts with seeds from /dev/random but pads them out with a PRNG when the non-pseudo randomness runs low.

Re:Where's the white noise generator?

[Detritus]

I've seen resistors (thermal noise) and zener diodes (junction breakdown noise) used as noise sources. The trick is to keep external non-random signals out of the circuit.

Re:Where's the white noise generator?

[Lee148]

As I understand it, it is non-trivial to implement a random number generator in hardware that is non-biased. That is, it is difficult to create a piece of hardware that creates a a uniform distribution of numbers. To distill the problem down; how would you create a circuit that outputs a 1 or 0 with exactly (like really exactly) 50-50 probability? Figure that out, then figure out how to make it work in potentially wildly varying temperatures. Then once you've done that figure out how to make it that your design can be mass-produced. It can be done, but perhaps not as easily as it seems.

Re:Where's the white noise generator?

[xZgf6xHx2uhoAj9D]

Sorry, I know it's bad manners to reply to oneself, but after reading through the paper, I see that Linux' /dev/random is vulnerable in a similar way (though they describe the attack on Windows to be "more efficient").

Re:Where's the white noise generator?

[ConceptJunkie]

Besides, if you save up too many random numbers the laws of thermodynamics might cause your tea to freeze.

Re:Where's the white noise generator?

[Vellmont]

I am still at a loss to wonder why a PC does not have a white noise generator built into it yet.

Many do (as others have pointed out).

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.

Some problems go away. You're assuming that random numbers can be generated at the same or greater rate they're consumed. If not, then there's the potential for this same kind of thing happening. If you can't generate random numbers from a noise source fast enough, you'll have to rely on a pseudo random source.

Re:Where's the white noise generator?

The RNG in the commodore soundchip had little to do with randomness. It was just a small shift-register with XOR feedback, a wellknown technique for makeing a pseudo RNG.
The register was so small that you could easily hear its pattern repeating.

Re:Where's the white noise generator?

[S.O.B.]

What systems need are pop-o-matic bubbles with m * 2^n sided dice to generate m * n bits.

But no one under the age of 35 will know how to operate it.

Re:Where's the white noise generator?

[sharkey]

What, no fairy cake?

Re:Where's the white noise generator?

[mrbluze]

How do these work? Electromagnetics? Background radiation? Quantum unknowns? Even without being a physicist, I can imagine flaws in systems based on most of these.

You're absolutely right, because we have to believe what they tell us with respect to hardware - it's no different from closed source. Even if the thing is based on a sound physical principle, it can be backdoored and is untrustworthy for anything critical. The only way I can see it working is with an open source software solution based on an open hardware solution, for example a home made source of hardware randomness.

I mean, it might seem reasonable that the NSA needs to have keys to everyone's safes, but anything they can do, the crims will be able to do shortly afterwards.

Re:Where's the white noise generator?

[archen]

I am still at a loss to wonder why a PC does not have a white noise generator built into it yet.

Isn't that what computers have users for?

Re:Where's the white noise generator?

Perhaps Microsoft should do it the right way and harvest the entropy instead of trying to generate it from scratch.

Re:Where's the white noise generator?

[makomk]

Yeah - the Linux kernel PRNG is overdue for replacement and has been for a while, I think.

Re:Where's the white noise generator?

[GMFTatsujin]

That'd be the Mic In jack on my laptop. It's even implemented in hardware!

Re:Where's the white noise generator?

[CarpetShark]

I mean, it might seem reasonable that the NSA needs to have keys to everyone's safes

No, it doesn't! :)

but anything they can do, the crims will be able to do shortly afterwards.

But that part, and the first part, I agree with :)

Re:Where's the white noise generator?

[Skippy_kangaroo]

But can you tell me precisely how improbable that is?

If not, all you'll manage to do is make all the molecules of your underwear jump one foot simultaneously to the left.

Re:Where's the white noise generator?

[andy_t_roo]

it is quite trivial to turn a biased rng into an unbiased one. 1) generate pairs of 1's,0's (assume 80% are ones) (assume there is no correlation between the two numbers generated) 2) within the number stream every time 01 occurs, output 0, every time 10 occurs output 1, 11 and 00 output nothing 01 occurs .2*.8 (16%) of the time, 10 occurs .8*.2 (16%) of the time, 11 occurs 64% of the time, 00 occurs 4% of the time therefore the number of 1's and 0's output by step 2 is the same, at the cost of 84% of the generating capacity (with an unbiased generator all 4 of the numbers above are 25%, and this scheme results in the loss of 75% of generating capacity)

Re:Where's the white noise generator?

[Fred_A]

There used to be a RNG based on lava lamps on the web in the olden days.

Re:Where's the white noise generator?

[andy_t_roo]

sorry for the bad formating above (accidentally hit submit rather than preview)

it is quite trivial to turn a biased rng into an unbiased one.
1) generate pairs of 1's,0's (assume 80% are ones) (assume there is no correlation between the two numbers generated)
2) within the number stream every time 01 occurs, output 0, every time 10 occurs output 1, 11 and 00 output nothing
    01 occurs .2*.8 (16%) of the time, 10 occurs .8*.2 (16%) of the time, 11 occurs 64% of the time, 00 occurs 4% of the time

therefore the number of 1's and 0's output by step 2 is the same, at the cost of 84% of the generating capacity (with an unbiased generator all 4 of the numbers above are 25%, and this scheme results in the loss of 75% of generating capacity)

Re:Where's the white noise generator?

Yeah, sure. If you've got a sound card, just feed the least significant bit off samples from /dev/dsp into your entropy pool. Simple, effective, gives you all the noise you'll ever need. Audio ADCs are great noise sources.

Re:Where's the white noise generator?

Kids: Mooooooooooomm! The computer is out of entropy again!!!
Jim Carrey as FireMarshallBill: Let me show you a little something about making entropy, kids.
Kids (thinking): WTF?
FMB: It may seem dangerous to pour hot tea into a computer, but I'm a trained professional, so don't try this at home.
Kids: ???
FMB: First, make sure to ground yourself by stripping off the conductors of a 3 prong electrical cord and then shoving it down your pants.

  [ fast forward a few minutes -- house is burned down, and FMB has multiple 3rd degree burns and is missing some teeth ]

FMB: ... and that, kids, is how you make entropy.

The Vista RNG

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable.

Your system must meet the requirements to be able to run the Windows Random Number Generator on Vista. Otherwise, you will need to use Windows Number Generator Basic. The only number WNGB can generate is 4.

Re:The Vista RNG

[eln]

Yes, but that 4 was generated via a fair dice roll, and is guaranteed to be random. You can't say that about the numbers the Vista RNG spits out. So you see, what the WNGB lacks in quantity it makes up for in quality.

Re:The Vista RNG

[JCSoRocks]

I've got Vista and I've found a way to fix this problem and keep your numbers nice and random. I just used a piece of string attached to one of my fans to swing a big magnet over the top of my memory. It's great. Although... my computer keeps on giving me these weird corruption errors and then crashing.

Re:The Vista RNG

[DreamerFi]

Sounds like the same one Dilbert is using.

Re:The Vista RNG

[secPM_MS]

The random number generator for XP and 2K3 server was substantially improved over that of Win 2000. Additional work was done for Vista. These systems are used in highly secure military deployments and due to its importance to system security, the random number generator was subjected to extensive analysis and was updated to deal with issues uncovered. When evaluating "random number generators" you need to consider not only the "random number" generator, but entropy harvesting from the system and other issues relating to usage. I assume the bulk of the readers are not MS developers, but if you need a good random number on a Windows platform, call CryptGenRandom. Equivalent functionality is provided for managed code as well.

Win 2K is a very legacy product and its crypto functionality is very limited compared to 2K3 and Vista.

Re:The Vista RNG

[John+Hasler]

> The random number generator for XP and 2K3 server was substantially improved over that
> of Win 2000.

You know this, of course, because you have reviewed the source code.

Re:The Vista RNG

[ale_ryu]

Reminds me of Dirk Gently's I ching calculator:

'The electronic I Ching calculator was badly made. It had probably been manufactured in whichever of the South-East Asian countries was busy tooling up to do to South Korea what South Korea was busy doing to Japan. Glue technology had obviously not progressed in that country to the point where things could be successfully held together with it. Already the back had half fallen off and needed to be stuck back on with Sellotape.'
'It was much like an ordinary pocket calculator, except that the LCD screen was a little larger than usual, in order to accommodate the abridged judgments of King Wen on each of the sixty-four hexagrams, and also the commentaries of his son, the Duke of Chou, on each of the lines of the hexagram. These were unusual texts to see marching across the display of a pocket calculator, particularly as they had been translated from the Chinese via the Japanese and seemed to have enjoyed many adventures on the way.'

'The device also functioned as an ordinary calculator, but only to a limited degree. It could handle any calculation which returned an answer of anything up to "4".'

'"1 + 1" it could manage ("2"), and "1 + 2" ("3") and "2 + 2" ("4") or "tan 74" ("3.4874145"), but anything above "4" it represented merely as "A Suffusion of Yellow". Dirk was not certain if this was a programming error or an insight beyond his ability to fathom, but he was crazy about it anyway, enough to hand over £20 of ready cash for the thing.'

Re:The Vista RNG

[secPM_MS]

I didn't, but I know the people who did the enhancements, and they are very competent and well known cryptographers.

Re:The Vista RNG

[GlobalEcho]

Finally somebody who can post some actual information. Thanks!

Re:The Vista RNG

[Just+Some+Guy]

Additional work was done for Vista. These systems are used in highly secure military deployments

I may never sleep soundly again.

Re:The Vista RNG

[secPM_MS]

I have been working in security for over 20 years and am quite paranoid. Vista is reasonably secure to start with (particularily if you turn off Sidebar, which like all gadget platforms (including those of Google and Yahoo) increases the attack surface). You can configure Vista to be very secure. You can be sure that organizations that really care about security configure their system appropriately. Note that increasing security decreases user features and whiz-bang. My Vista interface looks rather like Win 2K.

Turn off sidebar

Go into system properties, under advanced, optimize for performance

Run as a normal user

Lock down IE

If you run Firefox, install NoScript and be very cautious about granting scripting

Re:The Vista RNG

[PingXao]

This is garbage. Any military system that needs to be secure isn't going to use Windows anything without some special aftermarket crypto added on.

You provide nothing to back up any of your assertions that the Crypto API was analyzed and updated to address issues that were uncovered.

CryptGenRandom is the EXACT random number generator call that TFA calls into question.

Re:The Vista RNG

Windows 2000 was also used in military systems (remember Windows for Warships?).

Re:The Vista RNG

[secPM_MS]

It is the same call. It is not the same code. We keep the API the same. We update the code as issues are discovered and resolved. That way users and applications relying upon the API need do nothing to take advantage of the improved crypto.

With Vista, Microsoft shipped support for Suite B crypto to deal with governmental issues. The government tends to operate in FIPS mode, where they (and any user who is willing to pay for them) also have to option of using hardware security modules (HSMs) to handle crypto if they do not want to rely upon the CNG (Crypto Next Generation) code modules.

There is not a significant security issue here. You first have to compromise the user. Then this issue allows a modest increase in the compromise against the user. It does not allow a compromise of the user. As such, it would be considered for the next service pack. To the best of my knowledge, Win 2K is end of life.

As for evidence, you will have to deduce it. I claim that this issue was discovered internally and addressed. If you check, you will find that it does not reproduce in XP SP2 or 2K3 SP1, so you will see that the issue was dealt with years ago -- and you don't have to believe me.

Re:The Vista RNG

Has any of this analysis and the supposed resulting improvements been published anywhere?

Re:The Vista RNG

C programs using the "fread" function will compile on vastly different operating systems, e.g. Windows, UNIX, OS/390, RiscOS. The implementation of fread on each system is completely different.

Similarly, CryptGenRandom is not a random number generator. It is an API: an interface to an implementation. Which can change over time. And has.

Re:The Vista RNG

Many companies and government organizations still use Windows 2000. If this issue was found years ago, why wasn't a patch issued for Windows 2000? Why do we first find out about the problem in late 2007?

Re:The Vista RNG

"CryptGenRandom is the EXACT random number generator call that TFA calls into question."

I love how slashdotters assume they know everything about everything and that they are God's gift to the programming profession, when they can't even get it through their heads that the implementation of an API function can change over time. The person with whom you are arguing works at MS (I think) and knows of what he's talking about. If he says that the implementation of CryptGenRandom has been enhanced in XP SP2, Windows Server 2k3, and Vista beyond what it was in Win2000, then it's likely true. No evidence has been provided saying that XP SP2, WinServer 2k3, or Vista's CryptGenRandom is "cracked". You are the one making the accusation that Vista, XP SP2, and WinServer 2k3's CryptGenRandom is "cracked", well then PROVE IT.

Re:The Vista RNG

[StormReaver]

"Win 2K is a very legacy product and its crypto functionality is very limited compared to 2K3 and Vista."

I'm usually rather willing to accept sincere sounding apologies if they're wrapped with enough market speak and technobabble, but I'm just not buying this. I still remember the years of NT4, when Microsoft was trumpeting how well written it was, how secure it was, and how it was just the best...thing...ever. Of course empirical experience showed that NT4 and Windows 2000 (which was the next shallow iteration of NT) showed that it still had the same severe problems that have always plagued Windows, but Microsoft trumpeted the greatness of NTx despite all the evidence to the contrary.

Then XP came around, and Microsoft really needed people to ditch NT4 and Windows 2000 in favor of XP. Then suddenly, out of nowhere, Monkey Boy starts bad-mouthing NT4 as a steaming pile of unfixable crap, and started with the additional pile of steaming crap that XP was the best...thing...ever. People seem to overlook the obvious implication of that: Microsoft implicitly admitted it was lying about NT4 during its heyday.

With Microsoft's history of telling any lie that will drive sales, and its complete disregard for security, who on this planet is stupid enough to believe anything coming out of Redmond now? Microsoft is the quintessential boy crying "wolf" from every hillside. It's really not a matter of whether Microsoft is competent to fix the problem, but rather it's mostly a matter of trust.

Re:The Vista RNG

Come on, if you're going to use someone else's joke, at least put in a link.
http://xkcd.com/221/

Re:The Vista RNG

[eln]

I thought the entire thread was a pretty obvious reference to that comic. I find that the shared "getting" of a reference enhances a joke, and pointing out the reference diminishes the joke somewhat. Like a Simpsons reference, that particular comic is ubiquitous enough on Slashdot that pointing out the reference is redundant and detracts from the overall humor. The entire reason I replied the way I did was because the post I was replying to was a clearly obvious reference to that joke (since they used the number 4 in particular).

Re:The Vista RNG

[secPM_MS]

The threat environment and security requirements change over time. When customers didn't care about security issues, Microsoft didn't either. In mid-late 90's I was a security and directory architect at Novell and was not at MS. When security became an important problem to customers, Microsoft started worrying about security. The MSRC patch data as well as third party reports shows that Microsoft has made a great deal of progress, with 2K3 SP1 and XP SP2 having significantly fewer vulnerabilities than their predecessors. Vista has fewer issues as well, particulaily if you configure it for security. You can make a very good case that Vista is at least as secure as the major *nix distros. If you look at SQL security, you see a strking increase in security - compare MS SQL's recent vuln issues with Oracle.

What constituted "good", by which a marketer means "good enough" security 5 years ago is not likely to constitute "good enough" security now, let alone 5 years from now. This is as true in the BSD space as it is in the *nix space as it is in the Windows space. I am an engineer with a number of security startups behind my belt. I don't believe anybody's marketing claims. Security wise, NT was more secure than W95/W98. 2K was more secure that NT. 2K3 was more more secure than 2K. 2K3 SP2 was more secure than 2K RTM. 2K8 will be more secure than 2K3 SP2. The marketing people will trumpet this. They should. It is true as well. The same thing is happening in the BSD and *nix space.

Novell

In other news, Miguel de Icaza said that he believes that the random number generator is a good idea. Linux should have one because Microsoft is going to win anyway, so linux would better be prepared if it doesn't want to be locked out of the future markets, and presented a beta version of the algorithm. Members of the GNOME foundation are participating in the standarization: ''it's better to provide our own insecure random number generator'' said ownen taylor.

Re:Novell

[Eighty7]

70% Funny
10% Flamebait
10% Troll

Ah just how I like it.

What is the scope of potential attacks?

[argent]

The abstract made me think that this was akin to the sequence number prediction problems in older TCP implementations, but it doesn't seem that this provides much opportunity for a remote attack. What is teh actual scope of the problem, how could this be practically used in an exploit?

Re:What is the scope of potential attacks?

[Schraegstrichpunkt]

The abstract made me think that this was akin to the sequence number prediction problems in older TCP implementations, but it doesn't seem that this provides much opportunity for a remote attack.

That's because you're not creative enough, which is fine (most of us aren't), but don't assume that your lack of creativity translates into difficulty of attack.

All you'd have to do is to buffer-overflow some SSL server, capture the state of the RNG, then perform O(1) operations to figure out what session keys will be for future SSL connections, and/or perform 2^23 operations to figure out what _previous_ session keys were (before you compromised the machine). What this means is that you can wait until _after_ some high-value transaction has occurred (which you can figure out via traffic analysis or by watching the guy in the next cube log into his bank account) to execute an attack, then recover the keys used for that transaction.

And a Diffie-Hellman key exchange won't help you. If you have g^x and g^y (which are transmitted in the clear), all you need is to guess either x or y to compromise the key exchange.

Re:What is the scope of potential attacks?

[argent]

It's not a lack of imagination, friend. I quite understand how this can be used after a successful remote execution exploit, my question is not about that, it's about whether this predictability can itself be used as the basis for a remote attack, the way TCP sequence number prediction could be used for remote spoofing attacks.

I'm actually a bit surprised that any applications requiring good random numbers would depend on a system random number generator. System random number generators have traditionally varied from poor to downright abysmal, and are useful for no more than part of the seed for a cryptographically strong PRNG included in the application. The introduction of random number generators that are even intended to be good enough quality for cryptographic use is pretty recent, and certainly no portable code should depend on them.

The comment in the paper, "The designers of the operating system can be expected to be versed with the required knowledge in cryptography, and know how to extract random system data to seed the generator. They can therefore implement an efficient and secure generator." implies a lot more trust in the security stance of the OS developers than I would have granted for all but a couple of examples. Windows NOT being one of them.

Yes, actually. The cat does "got my tongue."

[Impy+the+Impiuos+Imp]

I thought of doing something like this years ago for EverQuest. Presume it used the standard random number generator as published by Knuth, among others. Get a series, then crank through seeds until you found the sequence that matched it, done.

Never got beyond the thought stage because the problem was that those random values were probably shared amongst many clients, and thus it would be impossible to get a pure sequence without losing some values to other clients. And this assumes such a calculation would be doable in something less than many times the age of the universe. But in theory it could have worked.

Then just wait for a high string of good hits to be in the pipeline, and jump into battle.

Re:what. the. fuck.

[LiquidCoooled]

stop eating smurfs.

Spearmen

So that's why my tanks and battleships always lose to spearmen.

M$, your code sucks...

[forestbrooke]

so, open it up... let some 'real' developers look at it! (not a bait, but i guess that is the essence?) 'open source' windows!

they assume?

[pak9rabid]

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

And what happens when we make assumptions? we make an ass of me, and you make more money

Re:they assume?

[Tetsujin]

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

And what happens when we make assumptions? we make an ass of me, and you make more money Uh, no... When you make an assumption, you make an ass of you and Mption...

Fixed in Vista?

[adonoman]

http://msdn.microsoft.com/msdnmag/issues/07/07/Security/default.aspx has the new API, including a RNG

that meets Federal Information Processing Standards (FIPS) for use with the Digital Signature Algorithm (DSA). There's a lot I don't like about Vista, but for security researchers to "assume that XP and Vista use similar random number generators and may also be vulnerable" without a basic google search is a bit much!

Re:Fixed in Vista?

Actually go further back;

http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx?mfr=true

You'll note that Windows 2000 passed FIPS-140-1.

Re:Fixed in Vista?

[CastrTroy]

Just because they have a new API for getting the random numbers, it doesn't mean that they are using different algorithms for generating those random numbers. Also, they much still have the old APIs in there, otherwise, a lot of programs would fail to work. Since most of the software out there was written pre-Vista, and written to run on Vista, XP, and 2000, it's conceivable that applications on these operating systems are using the vulnerable code.

Re:Fixed in Vista?

[BoChen456]

Just because they have a new API for getting the random numbers, it doesn't mean that they are using different algorithms for generating those random numbers. Also, they much still have the old APIs in there, otherwise, a lot of programs would fail to work. Since most of the software out there was written pre-Vista, and written to run on Vista, XP, and 2000, it's conceivable that applications on these operating systems are using the vulnerable code.

Assuming they have the same API doesn't mean the RN generator is using the same algorithm either.

I don't think a true (not pseudo) random number API has any guarantees that the returned values will be reproducible.

Re:Fixed in Vista?

Huh? It's perfectly possible, indeed desirable to code against an interface. This gives you the ability to change the code behind it as you're treating it as a black box. It's not even new to windows; the common dialog calls for example bring up OS specific dialogs; so I could make the same call for Win95 on XP and I will get the XP dialog. Both your premise and your conclusion are pretty fatally flawed.

Re:Fixed in Vista?

[RonnyJ]

Just because they have a new API for getting the random numbers, it doesn't mean that they are using different algorithms for generating those random numbers.

I looked up the full quote, which shows that they have different algorithms that can be used with that API, one passing the 'FIPS' standard:

The BCRYPT_RNG_FIPS186_DSA_ALGORITHM algorithm identifier is also available should you need an algorithm that meets Federal Information Processing Standards (FIPS) for use with the Digital Signature Algorithm (DSA).

Re:Fixed in Vista?

FIPS 186-2 requires the use of a specific set of PRNGs (ANSI X9.62, etc.). Does this mean the FIPS PRNG selection is bad?

Re:Fixed in Vista?

There's a lot I don't like about Vista, but for security researchers to "assume that XP and Vista use similar random number generators and may also be vulnerable" without a basic google search is a bit much!

Yeah, but you are only assuming they said that. It's only the press release that says that, not the actual paper. What the paper actually says is researcher-speak for "give us more money and we'll tell you if it's the same on XP/Vista".

Publication iffy

[cdrguru]

The only benefit that could possibly be derived by publishing algorithms and/or code for Windows security would be if (a) changes proposed would be implemented quickly and (b) everyone planet-wide upgraded.

If both of these did not happen, especially if (b) didn't happen, what you would be doing is exposing all non-upgrading users to the full brunt of whatever flaws their might be. Would this really be productive? Does this remind you of various failures in Linux code that led to rootkits being developed for it. Did the victims of such attacks think it was all for the best because they didn't upgrade in a timely manner?

Yes, relying on people not reverse-engineering code to protect users isn't a great plan. But the current situation - as regrettable as it is - is this is the only plan. There are no fallbacks, there are no alternatives. Most of the running copies of Windows aren't going to be "fixed" in any way whatsoever.

Re:Publication iffy

[sunami]

If both of these did not happen, especially if (b) didn't happen, what you would be doing is exposing all non-upgrading users to the full brunt of whatever flaws their might be.

Which just happened. And was pretty much inevitable to happen assuming it wasn't bulletproof from the start. Only now, it's "there's a flaw" rather than "here's a way to fix the flaw!"

Re:Publication iffy

[IkeTo]

This sounds *really* wrong. You can say white-hats should have waited for a few days or even a few weeks after notifying the vendors before disclosing problems, but they should be disclosed eventually, and should be disclosed after giving vendors a reasonable amount of time. There bound to be people not upgrading their Windows, and there bound to be people not upgrading their Redhat or Fedora or Ubuntu or SuSE or FreeBSD or whatever operating system you name (not to mention whatever Firewalls, protocols, applications, etc, etc you name). So we shouldn't be disclosing any vulnerability about any of those?! Who, then, know that their software is vulnerable to black-hats and needs upgrading, and who, then, know which software vendor is more trust-worthy for providing secure software or providing rapid response to security issues? And, more importantly, how developers can learn from the others' mistakes and start writing secure code?

Re:Publication iffy

[Almahtar]

Do you believe that these people are the first to discover this flaw? Possible, but it's also quite possible that they're just the first to say anything about it rather than just exploiting it for personal gain.

Putting the code out in the open increases the likelihood of problems being solved. It's true many people won't patch their systems, but you know for sure they won't apply a patch that was never written because nobody ever reported the flaw.

Re:Yes, actually. The cat does "got my tongue."

[roguetrick]

Now if only we had a plan for getting a girlfriend. And I don't mean Flargina the Elf, because from what I hear, shes packing something and its not a bow.

Ballmer knows

"The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication."

See?! Windows has had a pseudo-Time Machine all along. :D

Go Microsoft!!

ob XKCD reference

[wren337]

http://xkcd.com/221/ // chosen by fair dice roll // guaranteed to be random

huh?

[deftones_325]

I can't even read past where some educated people try to recommend to M$ that they open up some of thier double-super-secret source code. Imagine the possibilities and good things that could happen if they did that. Its just that kind of rational thinking that makes the developers at microsoft upset. How dare anyone suggest it could be done better.

Pluggable Cryptomodules

[gimli]

Hi,

I would suggest pluggable Crypto. So you can choose your own trusted Crypto provider in your operating system. This way anyone who likes peer reviewed opensource crypto can just plug it into M$ windows and doesn't need to rely on proprietary crap^H^Hypto.

Regards,
Holger

Re:Pluggable Cryptomodules

Well your wish has been granted. The Windows Vista cryptography API (CNG) provides just this kind of functionality.

From the MSDN page on CNG features:

Another improvement that CNG provides is the ability to replace the default random number generator (RNG). In CryptoAPI, it is possible to provide an alternate RNG as part of a cryptographic service provider (CSP), but it is not possible to redirect the Microsoft Base CSPs to use another RNG. CNG makes it possible to explicitly specify a particular RNG to use within particular calls.

It seems that the CNG is very extensible. You can add new RNGs, encryption providers, hashing algorithms, etc.

Re:Pluggable Cryptomodules

Well done for suggesting something Windows has had available since 1998. Hardware encryption and random number generators have been available for Windows for quite some time making use of their pluggable architecture.

Does this mean...

[physicsphairy]

That it will be possible to predict what values Excel will give us in our spreadsheets?

Don't newer cpus have TRNG builtin?

[jmichaelg]

I thought that True Random Number Generators had been built into all newer CPUs. It appears, after a quick Google search, that's not the case. Via provides a TRNG on their C3, AMD provides one on their Geode processor, and Intel provides one on their "Firmware Hub." What's not clear to me is why, given the obvious need for a TRNG, Intel and AMD haven't incorporated one into the mainstream x-86 architecture.

Re:Don't newer cpus have TRNG builtin?

[palladiate]

You're slightly mistaken.

Intel only provided RNG on the 810 series of chipsets, and that was the Pentium 3 generation. The VIA C3 is of the same generation of chipsets, nothing faster than a 1.4 ghz processor. AMD does provide a path, but it's an optional part of the chipset, and not universally supported.

There used to be more ubiquitous hardware RNG.

Re:Don't newer cpus have TRNG builtin?

[John+Hasler]

Because the people who most need hardware RNGs don't trust Intel and AMD.

Re:Don't newer cpus have TRNG builtin?

> The VIA C3 is of the same generation of chipsets

True, but the C7 also provides an RNG. And onboard AES.

http://www.via.com.tw/en/products/processors/c7/

Here's the thinking in Redmont

[Frantactical+Fruke]

Um, our programmers are all in conference negotiating the next shutdown dialog, but we have plenty of spare lawyers, so we'll fix this problem with a DMCA law suit in 5, 4, 3, 2...

Similar but different?

[QuietLagoon]

I wonder if this is a similar problem?

Re:Similar but different?

[DuctTape]

I saw Windows, IRIX, Netware, Cisco IOS, Solaris, *BSD family, MacOS X, UNICOS, Tru64, HPUX, OS/400, NextSTEP, AIX, OpenVMS, and OS9. No Linux in there? Or am I missing something?

DT

Re:Similar but different?

[QuietLagoon]

Linux was in the one published the prior year.

Re:Similar but different?

[owlstead]

Not the same problem. You can be pretty sure that the outcome of the random number generator is pretty much evenly spread out evenly after going all those SHA-1 hash functions and RC-4 encryption functions. So the numbers will look pretty much random which ever way you look at it. Until your process uses the RNG, gets the state and starts calculating the next random numbers by itself. Then the random numbers will look conspicuously non random (as in: equal).

Of course, to get a high performance tcp/ip stack, they might have cut a few corners and stopped at using the PRNG for each bit of the initial sequence numbers (or more likely: they stopped using it at all or never started using it). Don't forget that 99% of developers would not know a PRNG if it hit them on the head. Then again, some people were using rnd(-time) on MSX BASIC 1.0 when they were 12 :).

Re:Similar but different?

[jagdish]

I refuse to go to any site ending with .cx. I have my reasons.

Bad summary

[Shandalar]

The submitter is jumping to some conclusions. The word "eavesdrop" does not occur in the paper.

Is there a list of slots machines that run windows

[Joe+The+Dragon]

Is there a list of slots machines that run windows?

Re:Yes, actually. The cat does "got my tongue."

[Cheesey]

That sort of attack could probably be used against online Nethack servers such as nethack.alt.org. You could predict what set of items you'd get if you generated a character at a specific value of time(NULL). You'd also be able to predict the future for that character. You'd try out sequences of moves on your PC, and then send the sequence that got you the best results.

Unfortunately extra non-determinism would be introduced by bones files, and you'd get a new random sequence if you logged out. The server admin could also stop this attack quite easily by sourcing random data (or just the seed) from /dev/urandom. (They might already be doing that.)

Why bother!

[Arivia]

Why bother checking the other versions: after all, anything that matters is on Windows 2000 already!

the number of affected users enbiggens the problem

[doti]

only tested Windows 2000, and not XP or Vista, both combined are far more used than 2000 Still, 2000 has more (desktop) users than Linux. By your logic, if there were a similar problem in Linux, it would be less of a problem?

Solution

[PPH]

Use Excel. Its solutions appear to be far less predictable than the current RNG.

Re:Solution

[El_Oscuro]

Excel seems to randomly subtract .5 hours from my timesheet whenever I use the autosum feature.

Wait wait wait...

[SailorSpork]

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators

That's a hell of an assumption to make. Wherein Win2k probably had a semi reasonable (if apparently crackable) random number generator, Vista probably has a confused gnome inside that's hit on the head and presented with a keyboard when a random number is requested. It then needs to connect to the internet and report my name, hardware configuration, IP, SSN and 3 credit card numbers to the Windows Genuine Disadvantage hive mind in Redmond to ensure that I paid for a version of windows that is authorized to include the Random Gnome (R) (TM), or if I should pay more to upgrade to Random Gnome Ultimate.

Normal sequence...

[FedeLebron]

65532
65533
65534
100000

Ummm.... Re:31784

[sharper56]

...it's Tommy Tutone.

Hardware RNG

[SamMichaels]

You'd think that computers would have built-in hardware based RNGs by now. On-board sound, video, network, etc.......where is the radioactive decay RNG? After all, in 1985 plutonium should be available in every corner drugstore.

Well...

[SlipperHat]

That was random... [dodges chair]

Trolling...

[squizzar]

I suggest using the uptime of the previous session as a random number generator. Of course the numbers would always be small, but at least they'd be completely random...

Vista is safe!

[LingNoi]

Don't worry! I spoke to a MS rep and they told me that Windows Vista was the most secure operating system available!

Oblig Dilbert

[BlueParrot]

Troll: "nine,nine,nine,nine,nine,nine,nine,nine,nine,nine,nine..."
Dilbert: "Are you sure that is random?"
Troll: "That's the thing with random numbers, you can never be sure... nine,nine,nine,nine,nine..."

Re:Is there a list of slots machines that run wind

Multimedia Games bingo slots. (I saw one in a casino that had exited to the desktop, it looked to be running a version of Windows XP.)

Some of the Multimedia Games bingo slots are apparently even retrofits for some older WMS Games slots (such as Jackpot Party, Instant Winner) among any others.

However, it seems like those slots get their bingo card results from numbers drawn from a central computer, rather than an on-chip random number generator on the actual machine. Either way, the bingo card results appear to determine the actual reel spin result, so it's like the machine is practically showing the virtual reel result by using a bingo card, before spinning the reels.

idiots

if they know how it works and thus can predict it why can they only guess that it's the same code in xp and vista? like any experiment, once your assumption is proven correct in one experiment you should be able to predict the outcome in all experiments.

USB Hardware RND

[CustomDesigned]

Buy one of those $25 toy digital cameras. Keep the lens cap on, or put black tape over the lens. Connect to USB port. Add script to snap a "picture" every few minutes to prng. (Is there a way for userland to feed entropy to kernel based /dev/random?) With no light, digital cameras return thermal noise - which looks like "snow" on an analog TV. I've done this with a toy camera I bought for my daughter. The camera feeds raw pixels to the linux driver, and the post processing done by the Windows software was never implemented in Linux, making it useless as a camera (plus it has 256M ram, but no flash memory). But it works great for this application. I haven't done a mathematical analysis of exactly how much entropy is in the signal. I'll leave that for the stat geeks.

I got the idea from a project that used a webcam snapping pictures of a Lava Lamp® as a hardware RNG.

Re:USB Hardware RND

[Bert64]

Could you do the same with a TV card that has no antenna connected? Proper "snow" input...
Tho i guess it could be subverted if you were in the vicinity with a powerfull enough transmitter.

Re:USB Hardware RND

[Schraegstrichpunkt]

According to the paper, CryptRandGen won't actually use the output from your digital camera very often.

Re:USB Hardware RND

[PReDiToR]

Wasn't there a project to use your optical mouse as a camera?

Wouldn't a second sensor in your mouse, or another wire to a chip in there be a fantastic way to provide entropy?

Re:USB Hardware RND

[CustomDesigned]

I gave up on Windows as a lost cause after Win98. I was talking about easily adding a hardware RNG to Linux/BSD/Mac.

Re:USB Hardware RND

[owlstead]

Aren't there huge bus problems with USB/security? Just thinking out loud. Anyway, you don't want user applications feeding the random RNG, as you could have read in the article. Furthermore, you don't want something that uses up lots of bus traffic and/or CPU power to get random bits, because ill behaving applications or user errors may slow down the PC to a crawl (like writing a HDD with random numbers from /dev/random instead of /dev/urandom).

Basically, in linux, you get enough random bits from the HDD & network interfaces. This problem can be fixed without additional hardware. Of course, I do like the on processor solutions, you won't get faster and more secure than that, and you are independent on the hardware used on the system.

Re:USB Hardware RND

[Lord+Ender]

I'm trying really hard to think of a less exciting hobby than yours. I just. can't. do it.

Wow.

Re:USB Hardware RND

[ACMENEWSLLC]

>>Buy one of those $25 toy digital cameras.

Mine went bad yesterday. It still connects to the computer, but the image is a solid color. So what happens when the cheap camera goes bad and sends a solid color to your hardware RNG?

Even white noise isn't secure -- someone else could listen at the same location and pickup the same "random" signal.

Re:USB Hardware RND

Hey.. this is "Schrodinger Cat" device, isn't it ??!!!

Re:USB Hardware RND

[CustomDesigned]

>>Buy one of those $25 toy digital cameras.

Mine went bad yesterday. It still connects to the computer, but the image is a solid color. So what happens when the cheap camera goes bad and sends a solid color to your hardware RNG?
Good point. On CPU would be much more reliable if you REALLY need the security. But sometimes the bobby pin approach is more fun. (When I was growing up, the cotter pin on a wheel broke on a cross country trip. My Dad was panicking because he was out. My Mom put in a bobby pin from her makeup kit. My Dad said it wasn't the right kind of metal and would break. It lasted as long as we had the car.)

Even white noise isn't secure -- someone else could listen at the same location and pickup the same "random" signal. If they can listen to the USB bus, they already have enough physical access to own you. You would make the device node accessible to root only, of course.

Re:USB Hardware RND

[vittal]

Maybe its old fashioned parenting, but buying your child a camera, then sticking masking tape over the lens may not be the best way to encourage their photographic ability! I guess it may help their ability to write USB drivers though... the choice is yours.

Re:USB Hardware RND

[Niggle]

Back when I was doing astronomy, a completely "black" picture didn't show purely random noise. You also get a faint fixed pattern. IIRC, that was mostly determined by tiny variations in the size of the detector pixels.

That was a decade ago though. Modern chips might be a lot more uniform. Also, a digital camera on your desktop is unlikely to be liquid nitrogen cooled, so the thermal noise will be higher anyway.

Re:USB Hardware RND

[CustomDesigned]

Maybe its old fashioned parenting, but buying your child a camera, then sticking masking tape over the lens may not be the best way to encourage their photographic ability! I guess it may help their ability to write USB drivers though... the choice is yours. Yes, she was rather disappointed that I couldn't get good pictures out of it. The raw pixels needed a smoothing filter and color balancing. She is still at the "losing things" stage, so a $150 camera is out.

Re:Yes, actually. The cat does "got my tongue."

[brouski]

But then you name your toon "Wi" and it all goes to hell...

Re:the number of affected users enbiggens the prob

[ppc_digger]

Still, 2000 has more (desktop) users than Linux. By your logic, if there were a similar problem in Linux, it would be less of a problem? I'm pretty sure cryptography matters much more for a server. Think about it. A desktop with broken cryptography would compromise a single user's information. A server with broken cryptography could put thousands of user files in risk of being exposed. As Linux has a larger share in the server market, it would be a much larger problem if a similar issue existed in Linux.

STFU. It helped my company and its customers.

[Schraegstrichpunkt]

The only benefit that could possibly be derived by publishing algorithms and/or code for Windows security would be if (a) changes proposed would be implemented quickly and (b) everyone planet-wide upgraded.

No. I am going to implement some fairly important software next week that would have strongly relied on CryptRandGen. It will run on Windows 2000, among other things.

Because of this paper, we know the extent of the vulnerability ("trust us, it's broken, but we won't say how" isn't enough to figure out how much time to budget for fixing it), and my software will rely only weakly on CryptRandGen, or possibly not at all.

Pass the FUD, please...

[GogglesPisano]

From the article:

The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator

So, in order to exploit this, you first need to pwn the system in order to get the state of the random number generator...

What's the point? Seems like once the system is running your malicious code, the job's already done. Why wouldn't an attacker just stop there and install their keylogger/rootkit of choice?

Might not extend past W2K

[thebdj]

I am willing to bet two things:
1) This does not affect current versions of Windows.
2) This only affects exported versions of Windows. (The PRNG may still be there but may not be default.)

The RC4 implementation screams of a bit-size issue. It also goes to reason since they are in a non-US country. Furthermore, I doubt this affects current versions based on the information available. If you want, go throw the CMVP RNG validation list and find the Microsoft certificates. All of the RNGs that are approved do not use RC4.

I believe there is a lot of hot-air and presumption and in the paper. They published findings and ASSUMED that nothing has been changed with relation to the PRNG. The algorithm certificates shown above clearly shows this is not the case. Furthermore, they do not state which cryptographic provider is used to perform the generation. I believe this PRNG might be from DSS_BASE, which has since been deprecated. This would mean the problem does not exist. They also ask for Microsoft's code, yet I see none of their own. Without their code, how can their paper be reasonably verified.

I say show me some more, before you cry that this is the way all PRNGs since W2K have been implemented.

Re:Might not extend past W2K

"non-US country"
Gotta love those US countries

We all know about assumptions

[ISwearNotmyPorn]

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable

They assumed wrong.

Re:loophole in corepirate nazi hypenosys

Have a random number!
23

Not so severe

[SiliconEntity]

IMO the attack is not so severe as they make it sound. While this is a nice piece of reverse engineering and cryptanalysis, in practice the security implications are small.

The bottom line is that every process has its own copy of the RNG state. That means that breaking into one process will not help you deduce the random numbers being used by another. (The authors comment that there may be similarities between the two states, but they don't have any way to turn that into a practical attack.) So the only thing this does is it lets an attacker who compromises a certain process or program, such as IE, be able to learn the random number state. From that he can deduce old random numbers that were used, as well as deduce new random numbers that will be created in the future.

That second part is hard to avoid, but the first part, running the state backward (confusingly called forward security by cryptographers), is a sign of bad design of the RNG. Okay, Microsoft messed that up. But what are the security implications?

The implication is that if someone breaks into your computer, here is something more he can do. Not only can he take over going forward, he can learn a certain amount of data about the past. If you had an SSL protected session in the past, then he could go back and figure out what they keys were back then and decrypt the data.

But how bad is this, really? Compared to the harm he can already do by breaking into your computer? Given that he's there, he can learn all of your future SSL keys anyway. Anywhere you go in the future, your bank, paypal, ebay, any site he can learn all of your passwords and account numbers. He doesn't need to compromise the RNG for this, he can just watch your keystrokes. Basically, you are totally screwed if this happens.

Given the enormous magnitude of the security lost, the additional harm from being able to decrypt a few old requests is quite small. You are basically owned from then on. If you have insecure software that is vulnerable to such attacks, you're screwed anyway. A weakness in the RNG state means you are slightly more screwed, that's all. It's not a major change in the security equation.

The bottom line is that most of the damage comes from the break-in. Again, not to take anything away from these guys' work, but the attack they describe is at worst just the icing on a very nasty cake. Microsoft should fix it, and it sounds like they probably have in Vista, but nobody needs to change their security practices because of this flaw.

Re:Not so severe

[Tom]

The implication is that if someone breaks into your computer, here is something more he can do. Not only can he take over going forward, he can learn a certain amount of data about the past. If you had an SSL protected session in the past, then he could go back and figure out what they keys were back then and decrypt the data.

But how bad is this, really? It's horrible, that's how bad.

It means anyone with some ressources (government, MAFIA, MPAA, etc.) that has you on their black list can simply store your communications for a long time, then break into your machine at a convenient time to get the keys. It breaks the basic assumptions of many security tools and methods, namely that once the key has been destroyed, it can't be recovered.

Re:Not so severe

No, the state is only good for the lifetime of a running process. So this attack would only allow you to predict past and future keys, if you have a running process that was alive during the period of time that the key was generated. If you generated a key last week, and then powered off your machine, the state would be lost and the attacker would have no visibility into the state when the key was generated.

Re:Not so severe

[StormReaver]

Allow me to translate:

"Don't worry about this because if you're running Windows, you're already screwed."

Re:Not so severe

[Tom]

Ok, in that case I misread. Then it's not much of a danger, few windos machines stay up for more than a day or so.

Re:Not so severe

[tasp]

The nice things about security problems is that they tend to grow bigger than they seem and not smaller. Reading the paper from Zvi Gutterman, you can note few things. 1. Single process nature actually makes the problem worst as the seed does not get updated. Since IE is what most people use most of the time, the problem is still quite bad. 2. Since the problem is in user mode , you don't need root access on the machine to take advantage of it. 3. While the article didn't find remote abuses ( it is an academic paper after all ), it can be quite easy to imagine side effects of the WRNG that can be discovered in combination with other simple exploits which do not mean hacker already has full control. Imagine for example that the PRNG state can be deduced by calling rand() in JavaScript or Flash, not simple, but certainly feasible. Since this is a fundamental mathematical implementation problem in an infrastructure , it can be very hard to predict the implication until Microsoft gives more info on scope.

First paragraph quoted from prevoous message (n/t)

[Schraegstrichpunkt]

No text.

NSA access?

[Futurepower(R)]

Loophole in Windows RNG.

Is that the NSA secret surveillance access?

--
U.S. Government corruption TimeLines
Example: Complete 911 Timeline, 3895 events

Netscape's SSL had this same bug years ago

[MagikSlinger]

But I doubt anyone remembers that. Two researchers were able to crack the SSL key of Netscape back in the 90s because Netscape was using plain-old rand just using the current system time as the seed.

I can't believe this is an issue...

[gillbates]

One of the fundamental tenets of good cryptography is that if you can't see the algorithm, then it is not secure. That means all of the algorithm, including the RNG, if you use one. If you can't cryptanalyze it, you can't make any judgements about security. The fact that the Windows RNG is closed source and proprietary automatically excludes it from use in cryptographic functionality, and I'm quite surprised to discover that it is actually being used this way. (Actually, I'm not surprised; I'm surprised that some people consider it secure.)

And after the various faults with RNGs in the past on UNIX and Mainframes, I'm surprised that anyone is so naive as to believe that Windows had a good one. Microsoft's past history is so poor that only the most naive of programmers would assume that their RNG could be used for security purposes. It might be fine for simulations and gaming purposes, but that's it.

Considering that any cryptographer worth a Google search would know that almost all PRNG's have been broken, I'm wondering why anyone is making an issue of this; I thought all cryptographers just assumed that the host OS RNG is insecure by default. Or could it be that we have a lot more naive Windows developers than previously thought?

Re:I can't believe this is an issue...

One should note that the first step in this loophole is hijacking the process or obtaining administrative privileges over the client machine. If the attacker has hijacked the client process, it doesn't matter if they know the future encryption keys, as the client process. They might as well say "if you can use mind control to force another human being to sign over all their property and to tell you all their secrets, you could steal their identity...". Clearly, buffer overflows and other mechanisms through which processes are hijacked are more significant dangers than obtaining process specific state after a successful hijack of a process with administrative privileges. Traditionally, cryptographers and cryptoanalysts place the attacker in the role of a messenger or delivery boy. Here, they assume (as step 1) that the attacker can use another exploit to insert themselves into the client code. It is a well known problem that one cannot hide secrets from oneself. Just look at the XBOX, skype, etc. to see the miserable failures of companies who made every possible effort to convince users that they did not know their encryption keys in some way. This paper has no credibility based on the fact that the exploit exists in every possible encryption mechanism available. If a virus, trojan, or other user can insert itself into your client code at any point during communications, it can continue communication, request new encryption keys, use the random number generator, munge files, and generally do bad things because it is running directly in the client process. By this logic, everything is broken -- let me demonstrate:

NEW CROSS SITE SCRIPTING ATTACK IN :
step 1: gain control over the server through a buffer overflow or some other method
step 2: insert a cross-site scripting attack
step 3: profit!

NEW SSL VULNERABILITY:
step 1: gain control of the client process after the user input credentials
step 2: connect using SSL / use existing SSL connection
step 3: profit!

I wonder if this was actually published in a peer-reviewed journal. If it was, it makes me very sad to see the state of published research today.

outsiders

[Tom]

to enable computer security experts outside Microsoft to evaluate their effectiveness. Pah. Do they really think MS has to listen to the #1 rule of cryptography? ("Never trust anything you invented yourself until peer-review is done with it.", or any of the many permutations.)

Re:outsiders

[Whatsisname]

I thought the #1 rule of cryptology was "only the key should be secret"

Re:outsiders

[Tom]

Only if you limit cryptography to encryption. Crypto does more than that. Just think about hashes, for example.

Right..

"Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable"

This is a stupid article and headline.

The Discworld solution is so much better

[oh2]

Technomancy is much more reliable, just train an imp to flip a coin and how to convert from binary to decimal. Of course youll have to feed the imp from time to time...

How long has it taken?

[ThirdPrize]

So they have just cracked it on Windows 2000. What's that, seven years? At this rate they will have racked XP just after the sucessor to Vista has come out. I can only assume they have been doing with some sort of brute force strategy.

Firefox and OpenSSL

[nyargh]

Looks like Firefox on Windows is ok for SSL, as they use their own RNG on Windows in NSS instead of just wrapping the Win32 API.

Re:Firefox and OpenSSL

[nyargh]

Whoops! The above comment still applies, but FF doesn't use OpenSSL, instead they use their own SSL implementation.

Sorry FF devs!

money can solve a lot of problems

[someone1234]

Apparently this is one of those problems.

Wrong, it's...

4, 8, 15, 16, 23, 42!

Re:Wrong, it's...

[Mister+Whirly]

I'm totally LOST on that one...

Tin foil hat: "Reflections on Trusting Trust"

[mlwmohawk]

I'm sorry, all this RNG stuff just remines me of NSA key, and all the backdoor crap that Windows has suffered. I am reminded by the paper "Reflections on Trusting Trust."

I honestly have 100% no doubts that "Microsoft" is purposely installing multitudes of access methodologies in the form of bugs with "plausible deniability" for U.S. security officials. The telco's do it, they've been caught and are now asking for immunity. Now whether or not is is actually "Microsoft," or people working within the company secretly for the various security agencies purposely inserting these nearly impossible to find bugs is a different question.

Call me paranoid, but if I told you there was a secret room through which all internet traffic gets directed in all the major internet NOCs, you'd call that paranoid as well.

Re:Tin foil hat: "Reflections on Trusting Trust"

[secPM_MS]

Everything I have heard in the security community within Microsoft says that there are no backdoors. Since my observation is not evidence to the paranoid, consider the following:

The Common Criteria evaluators have essentially full access to the Windows source code and all supporting documentation. They look for issues that would enable backdoors or security vulnerabilities. Once and a while, they find something interesting. Microsoft then fixes it as a security bug.

Windows platforms are used by numerous nations for secret information that they want to keep secret from the US. They wouldn't be using the platforms without some reasonable level of assurance concerning the code base.

If there were convenient backdoors in Windows, governments wouldn't need to conduct bag jobs to insert hardware loggers or use malware to capture suspect's actions.

My conclusion is that there are vulnerabilites in the Windows codebase, as shown by the MSRC process, but these are not intentional and they are fixed as they are discovered.

Re:Tin foil hat: "Reflections on Trusting Trust"

[mlwmohawk]

Everything I have heard in the security community within Microsoft says that there are no backdoors.

I have never heard anything other than, "It could be, if you knew...."

The Common Criteria evaluators have essentially full access to the Windows source code and all supporting documentation. They look for issues that would enable backdoors or security vulnerabilities. Once and a while, they find something interesting. Microsoft then fixes it as a security bug.

Funny how people who are not "Common Criteria evaluators" find a lot more stuff.

Windows platforms are used by numerous nations for secret information that they want to keep secret from the US. They wouldn't be using the platforms without some reasonable level of assurance concerning the code base.

And many of these nations are SERIOUSLY reconsidering their Windows use.

If there were convenient backdoors in Windows, governments wouldn't need to conduct bag jobs to insert hardware loggers or use malware to capture suspect's actions.

Assuming that third party utilities does screwup the intentional holes, that some people use other platforms, like Linux or bsd.

My conclusion is that there are vulnerabilites in the Windows codebase, as shown by the MSRC process, but these are not intentional and they are fixed as they are discovered.

Believe what you will, but I disagree. Maybe I am paranoid, but when your suspicions get confirmed, is it paranoia or good common sense?

Re:Tin foil hat: "Reflections on Trusting Trust"

Call me paranoid...
Or more accuratly, "ignorant". Not meant as a troll, but you have to admit that pure speculation is and realizing it as such is pretty much willful ignorance. You must be American (okay that last part was a troll :)

Re:the number of affected users enbiggens the prob

[eggnet]

We aren't talking about one user, we are talking about, at least, all w2k users.

O(2^23)=O(1)

[omnirealm]

The paper makes reference to a O(2^23) time to compute the previous state, given any current state. Maybe I am being a bit pedantic, but any undergraduate CS major familiar with big-O notation could tell you that O(2^23)=O(1); authors should just drop O() when they want to communicate the static (input-independent) run time of an algorithm.

Mhz

[oglueck]

about 19 seconds on a 2.80MHz Pentium IV
You should think scientists know how to distinguish Mhz from GHz :-)

Re:So...

[Tim+C]

A newly registered guy, even if they're named secPM_MS, doesn't buy much.

Why does it matter how long he's had an account here? I've been here for years and have the UID to prove it (well, if you believe I registered this account rather than buying it), but what does that say about how much I know about any given topic?

homemade RNG

[morcheeba]

I was using a vendor's demo code for some low-level fiberchannel control. Their application would fill a buffer with random data, loop it back over the interface, and compare it. It seemed to work for large transfer, but it would report that the first 3 bytes were corrupted. Digging deeper in to the code, I found they were reusing some buffers... not great, but if their random numbers were good, there would be no chance that the previous buffer equals the new buffer... then I checked out their random number generator: 92, 17, 204, 3, 3, 3, 3, 3, 3, 3, 3, 3 ...

Why should MS crypto programmers be aware?

[EmbeddedJanitor]

I don't share your optimism. I have dealt closely with MS on three very different areas of computing (certain low-level kernel stuff and some client server stuff). In all cases I was shocked at how poorly the people understood their subject matter.

Now I don't know what the crypto folk are like, but I have yet to see any real evidence to suggest that they'd be any better.

Designed to fail

You assume that the RNG wasn't designed to fail to begin with. US government has had private companies do these things before, many many times. Google for Crypto AG for one example.

Stop laughing, it happened with Linux too

[rjforster]

Oh yes it did.
Recent kernels patched a flaw where you couldn't explicitly seed /dev/urandom on a system with no entropy sources. Or at least, you could seed it however you liked and it made no difference to the output.
One description is here: http://lwn.net/Articles/239835/
What this meant for little embedded linux systems (eg routers) which are used for any crypto (eg VPNs) I'll leave as a thought exercise for the reader.

But, with the linux case the problem was reported, discussed and patched in about a week.

Re:the number of affected users enbiggens the prob

[Celarnor]

I don't think those two numbers are that far from each other.

What's The Problem?

[Bob9113]

Look - MS has slightly different standards than the industry in lots of areas. The fact that MS mail handling, HTML generation and interpretation, and other things are not entirely compatible with the accepted (or official) standards is nothing new.

So, in this case, they're just using the MS standard for PRNG. The industry sees it as a pseudo random number generator. For MS, it's a predictable random number generator. Just because the rest of the industry hasn't caught up with Microsoft yet is no reason to assume MS is wrong. You Linux zealots just always assume your way is right.

Scientific American - July 1985

[paranerd]

I haven't replied to a Slashdot article in years but I had to reply to this one. On the wall of my den is a cover of the July 1985 Scientific American because in it is a piece of code I wrote that graphically demonstrated how bad the MS random number generator was then. It was a big moment for me :-)

10 SCREEN 2
20 X = RND * 640
30 Y = RND * 200
40 PSET (X,Y)
50 GO TO 20

The results were unbelievable. What was even harder to believe was we couldn't get MS to do a thing about it then. It's nice to know some things never change.

Re:Scientific American - July 1985

Funny that some(many)people insist to compare the latest Linux distro with other old MS-OS version.

What was the linux distro back in 1985? ooops it didn't even exist!

Damn, out of time

This could be a big issue if it definitely exists in XP and/or Vista. But oh dear... somehow these guys had time to uncover such a complex technical issue but not QUITE enough time to check if it applied to the current products.

Or rather -- they know damn well, but by better leaving in that element of doubt allows them to milk a little publicity. It sounds like they might have hit something interesting.

In fact this is an allegation of a design issue, seemingly without proof-of-concept. It affects a 7-year old product, which is 2x superseded and has been unsupported (without enterprise contract) for 2 years.

Their biggest achievement is convincing anybody this is newsworthy.

offtopic in a way

[rice_burners_suck]

Yeah yeah, this is a bit offtopic, but since this is Microsoft we're talking about, I just wanted, for the record, to say that Google is a WAY better company than Microsoft. Hopefully, a chair won't come flying out at me from my computer screen for saying that. :-)

Re:Wow... they ASSume?

[aichpvee]

Given how many undiscovered vulnerabilities in previous versions of windows have shown up in every release up till whatever was current at the time, it seems like the big ASSumption is on your part. For the record your post doesn't make you sound cynical, it makes you sound stupid.

Re:So...

[Henry+Pate]

Are you saying this isn't how it works? This comic clearly states otherwise.
Slashdot comic

/. UID gets tossed around like a geek IQ, though unfair, I see people use it as a metric all the time.

Re:Wow... they ASSume?

Given how many undiscovered vulnerabilities in previous versions of windows have shown up in every release up till whatever was current at the time,

How are they supposed to be fixed... if they are undiscovered?

Oh wait... maybe we should check the record and see all the tons of flaws and exploits which show up in OS X and Teh Lunix? Because they have MORE than enough security problems to make anyone except the most unwashed of the ignorant and uninformed masses know that OSX and Teh Lunix's security model is based 100% upon obscurity. Not even taking security into account, they aren't even programmed well. Why else do they have to come out with new versions every six months?

For the record, you post makes you sound not only stupid, but fatally uninformed.

Re:ob Dilbert reference

http://da.nieltiggemann.de/science/rng/dilbert.png

Re:Firefox

[nyargh]

OK, so no one is reading these but I misspoke - NSS does use the windows random number generator aka "SystemFunction036" to seed the NSS RNG, but only in combination with a lot of other noise sources. So... less bad?

Forward versus Backward Secrecy/Security

[ricksmith]

The term "perfect forward secrecy" has been used for about a decade in the Internet security protocol community to talk about key management protocols in which the current state of a crypto secret can't be used to uncover future secrets.

This paper uses the term "backward security" to mean something similar but subtly different about future secrets. The paper's matching term "forward security" talks about keeping older secrets secure.

The paper claims that this terminology is "common." I guess it depends on what community you're in.