Loophole in Windows Random Number Generator

Invisible Pink Unicorn writes "A security loophole in the pseudo-random number generator used by Windows was recently detailed in a paper presented by researchers at the University of Haifa. The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication. Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness. Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

Hardware RNG

[CRCulver]

I assume this is only a problem for those whose motherboard doesn't have a hardware random-number generator?

Re:Hardware RNG

[Tim+Browse]

Unfortunately, some people might believe that's really how it happens. Cryptographically secure RNGs are a widely known issue in the field (hell, even I know about it, and I'm not in the field), and you can be sure that the Crypto programmers at MS are at least aware of the issue. It wouldn't surprise me, at any rate, if implementing a new RNG had been considered a priority for XP or Vista if they had discovered the existing one to be vulnerable.

If they had time in between cocking up all the WGA stuff, that is.

Re:Hardware RNG

[Bert64]

A new RNG is not really a selling point, the only way it will help their bottom line is if enough people know about flaws in the old one that it's profitable to replace it.
Look at it from a business perspective, microsoft will.

Re:Hardware RNG

[ppc_digger]

Actually, Windows NT uses UNIX timestamps internally. I haven't read any formal documentation regarding this, but if you look in the registry, at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate you'll see a dword containing a standard UNIX timestamp.

Seed time

[EaglemanBSA]

How accurate would they have to be with predicting the generator seed times for the keys to work? Would that be a hitch? I'm not an expert in the field, so I honestly don't know.

Where's the white noise generator?

[tjstork]

I am still at a loss to wonder why a PC does not have a white noise generator built into it yet. Even the best random number algorithms are pseudo random, so blasting Microsoft for their algorithm is a little like blasting the kid for not carrying enough of a bucket when the dam is the thing that broke.

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.

Similar but different?

[QuietLagoon]

I wonder if this is a similar problem?

Re:Fixed in Vista?

[CastrTroy]

Just because they have a new API for getting the random numbers, it doesn't mean that they are using different algorithms for generating those random numbers. Also, they much still have the old APIs in there, otherwise, a lot of programs would fail to work. Since most of the software out there was written pre-Vista, and written to run on Vista, XP, and 2000, it's conceivable that applications on these operating systems are using the vulnerable code.

Hardware RNG

[SamMichaels]

You'd think that computers would have built-in hardware based RNGs by now. On-board sound, video, network, etc.......where is the radioactive decay RNG? After all, in 1985 plutonium should be available in every corner drugstore.

USB Hardware RND

[CustomDesigned]

Buy one of those $25 toy digital cameras. Keep the lens cap on, or put black tape over the lens. Connect to USB port. Add script to snap a "picture" every few minutes to prng. (Is there a way for userland to feed entropy to kernel based /dev/random?) With no light, digital cameras return thermal noise - which looks like "snow" on an analog TV. I've done this with a toy camera I bought for my daughter. The camera feeds raw pixels to the linux driver, and the post processing done by the Windows software was never implemented in Linux, making it useless as a camera (plus it has 256M ram, but no flash memory). But it works great for this application. I haven't done a mathematical analysis of exactly how much entropy is in the signal. I'll leave that for the stat geeks.

I got the idea from a project that used a webcam snapping pictures of a Lava Lamp® as a hardware RNG.

Re:USB Hardware RND

[Niggle]

Back when I was doing astronomy, a completely "black" picture didn't show purely random noise. You also get a faint fixed pattern. IIRC, that was mostly determined by tiny variations in the size of the detector pixels.

That was a decade ago though. Modern chips might be a lot more uniform. Also, a digital camera on your desktop is unlikely to be liquid nitrogen cooled, so the thermal noise will be higher anyway.

Re:The Vista RNG

[secPM_MS]

I didn't, but I know the people who did the enhancements, and they are very competent and well known cryptographers.

Scientific American - July 1985

[paranerd]

I haven't replied to a Slashdot article in years but I had to reply to this one. On the wall of my den is a cover of the July 1985 Scientific American because in it is a piece of code I wrote that graphically demonstrated how bad the MS random number generator was then. It was a big moment for me :-)

10 SCREEN 2
20 X = RND * 640
30 Y = RND * 200
40 PSET (X,Y)
50 GO TO 20

The results were unbelievable. What was even harder to believe was we couldn't get MS to do a thing about it then. It's nice to know some things never change.