Loophole in Windows Random Number Generator

Invisible Pink Unicorn writes "A security loophole in the pseudo-random number generator used by Windows was recently detailed in a paper presented by researchers at the University of Haifa. The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication. Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness. Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

Re:Hardware RNG

[$RANDOMLUSER]

Now why would you assume Microsoft would use the hardware RNG when they have thier own, much better, proprietary RNG available?

Fixed in Vista?

[adonoman]

http://msdn.microsoft.com/msdnmag/issues/07/07/Security/default.aspx has the new API, including a RNG

that meets Federal Information Processing Standards (FIPS) for use with the Digital Signature Algorithm (DSA). There's a lot I don't like about Vista, but for security researchers to "assume that XP and Vista use similar random number generators and may also be vulnerable" without a basic google search is a bit much!

the number of affected users enbiggens the problem

[doti]

only tested Windows 2000, and not XP or Vista, both combined are far more used than 2000 Still, 2000 has more (desktop) users than Linux. By your logic, if there were a similar problem in Linux, it would be less of a problem?