Writing Secure Code
On the Generation of Cryptographically Strong Pseudo-Random Sequences
Proceedings of the 8th Colloquium on Automata, Languages and Programming
Practical Cryptography
A model and architecture for pseudo-random generation with applications to /dev/random
Proceedings of the 12th ACM conference on Computer and communications security
Analysis of the Linux Random Number Generator
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
An implementation of the Yarrow PRNG for FreeBSD
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Software generation of practically strong random numbers
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Cryptography in OpenBSD: an overview
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Forward-security in private-key cryptography
CT-RSA'03 Proceedings of the 2003 RSA conference on The cryptographers' track
Hold your sessions: an attack on java session-id generation
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Local Shannon entropy measure with statistical tests for image randomness
Information Sciences: an International Journal
| Hi-index | 0.00 |
The PseudoRandom Number Generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudorandomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000. This investigation was done without any help from Microsoft. We reconstructed the algorithm used by the pseudorandom number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a nontrivial attack: Given the internal state of the generator, the previous state can be computed in 223 steps. This attack on forward security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. After our analysis was published, Microsoft acknowledged that Windows XP is vulnerable to the same attack. We also analyzed the way in which the generator is used by the operating system and found that it amplifies the effect of the attack: The generator is run in user mode rather than in kernel mode; therefore, it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called. Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system-generated entropy only after generating 128KB of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128KB of the past and future output of the generator. The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operations. This attack is more severe and more efficient than known attacks in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.