×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Loophole in Windows Random Number Generator

CmdrTaco posted more than 6 years ago | from the heads-i-win-tails-you-lose dept.

Encryption 305

Invisible Pink Unicorn writes "A security loophole in the pseudo-random number generator used by Windows was recently detailed in a paper presented by researchers at the University of Haifa. The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication. Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness. Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

305 comments

31784 (4, Funny)

FooAtWFU (699187) | more than 6 years ago | (#21324385)

129775, 80123133, 5580012. 6740091, 6558, 42!

Hardware RNG (3, Interesting)

CRCulver (715279) | more than 6 years ago | (#21324403)

I assume this is only a problem for those whose motherboard doesn't have a hardware random-number generator?

Re:Hardware RNG (5, Insightful)

$RANDOMLUSER (804576) | more than 6 years ago | (#21324477)

Now why would you assume Microsoft would use the hardware RNG when they have thier own, much better, proprietary RNG available?

Re:Hardware RNG (5, Funny)

defnoz (1128875) | more than 6 years ago | (#21324733)

Now why would you assume Microsoft would use the hardware RNG when they have thier own, much better, proprietary RNG available?

After all, they spent so much time perfecting it in Excel 2007!

Re:Hardware RNG (4, Insightful)

thePsychologist (1062886) | more than 6 years ago | (#21324643)

It might only be a problem for 2000 users:

According to the researchers, who have already notified the Microsoft security response team about their discovery, although they only checked "Windows 2000" (which is currently the third most popular operating system in use) they assume that newer versions of "Windows", XP and Vista, use similar random number generators and may also be vulnerable.

Re:Hardware RNG (4, Insightful)

thePsychologist (1062886) | more than 6 years ago | (#21324871)

This is classic behaviour on Slashdot. I point out this might not be a big of a problem as it seems (as they only tested Windows 2000, and not XP or Vista, both combined are far more used than 2000), and I'm modded as troll, only because (I presume) that I'm providing evidence that a problem with Microsoft isn't as serious as it seems (i.e. I'm getting in the way of MS bashing).

Re:Hardware RNG (5, Funny)

somersault (912633) | more than 6 years ago | (#21324959)

Yeah because every time Windows is updated, it's a really high priority to write a new random number generator? XP is based off of 2000 even if Vista was meant to be a rewrite.

"Hey guys, I dont think the random number generator is random enough today - it came up with 2 prime numbers in a row! Anyone feel like taking a few days to rewrite it, test it, introduce a few bugs, document it, seal off the documentation to make sure nobody finds it, and go take it up to Steve? I hear he's out of chairs right now so it should be okay".

Re:Hardware RNG (3, Interesting)

Tim Browse (9263) | more than 6 years ago | (#21325267)

Unfortunately, some people might believe that's really how it happens. Cryptographically secure RNGs are a widely known issue in the field (hell, even I know about it, and I'm not in the field), and you can be sure that the Crypto programmers at MS are at least aware of the issue. It wouldn't surprise me, at any rate, if implementing a new RNG had been considered a priority for XP or Vista if they had discovered the existing one to be vulnerable.

If they had time in between cocking up all the WGA stuff, that is.

the number of affected users enbiggens the problem (5, Insightful)

doti (966971) | more than 6 years ago | (#21325043)

only tested Windows 2000, and not XP or Vista, both combined are far more used than 2000
Still, 2000 has more (desktop) users than Linux. By your logic, if there were a similar problem in Linux, it would be less of a problem?

Re:Hardware RNG (4, Insightful)

Belial6 (794905) | more than 6 years ago | (#21325455)

You actually didn't provide any evidence that the problem doesn't affect XP or Vista, you just suggested that the two newer version should be trusted immediately after finding out that 2000 has a bug in an unlikely to be updated part of the system. The non-troll way of highlighting this information would be:

That is a problem. I am eagerly awaiting the tests of XP and Vista to see if this was fixed for them.


You could probably even slip a little bias in there without being called a troll with:

They are going to test with XP and Vista aren't they? After all, it should be trivial to test this on the newer systems if the cryptography hasn't been changed. I mean what kind of security researcher just assumes the functionality of a security system?


Of course, it would be a little silly to assume that this does not affect at least XP, as 2000 was still under maintenance when XP was released, so if the bug was found during the development of XP, it should have been fixed in 2000. It would look far worse for Microsoft if they KNEW about a security hole in 2000 while it was still under maintanace, and did not bother to back port the fix from XP.

Why bother! (1)

Arivia (783328) | more than 6 years ago | (#21325027)

Why bother checking the other versions: after all, anything that matters is on Windows 2000 already!

Re:Hardware RNG (2, Funny)

operagost (62405) | more than 6 years ago | (#21325307)

I recently discovered that Windows is not Y2K compliant! Although I only checked Windows 3.1, I assume that newer versions of Windows, 2000, XP, and Vista, use similar 2-digit dates and may also be vulnerable.

Re:Hardware RNG (1)

dlenmn (145080) | more than 6 years ago | (#21324857)

I recall that the Pentium III has a hardware random number generator built in (http://www.techweb.com/wire/story/TWB19990120S0017 [techweb.com]), but I wasn't aware that motherboards have them (in the chipset? Where would they be?). Do newer man newer CPUs have them as well, or did they give up on them (along with the serial numbers in the PIIIs)?

Re:Hardware RNG (3, Funny)

larry bagina (561269) | more than 6 years ago | (#21325073)

intel's fpu is a random number generator (unintentionally).

Re:Hardware RNG (1)

operagost (62405) | more than 6 years ago | (#21325409)

What is this, 1997? They had an FPU bug in the Pentium 60-90 MHz processors. I guess you still make jokes about exploding Pintos and wheelbarrows full of Weimar Deutchmarks, too.

Re:Hardware RNG (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#21325471)

No. Read the paper, which states, inter alia (yes, I just learned that phrase this week):

We analyze the way in which the operating system uses the WRNG and note that a different copy of the WRNG is run, in user-mode, for every process, and that typical invocations of the WRNG are seldom refreshed with additional entropy. Therefore, the backward and forward security attacks, which only work while there is no entropy based rekeying, are highly effective. Furthermore, we also found that part of the state of the generator is initialized with values that are rather predictable.

Re:Hardware RNG (4, Informative)

lgw (121541) | more than 6 years ago | (#21325473)

Windows RNG collects "entropy" (that is, non-pseudo-randomness) from many sources, including drive timing, network timing, keyboard and mouse timing, temperature information, etc. However, there are only so many "really random" bits per second available.

Any good RNG combines sources of entropy with a cryptographically secure PRNG. The researchers are attacking the PRNG portion of the Windows RNG. If you only generate keys (or other random numbers) infrequently, this is a non-issue, as the hardware sources of entropy provide enough "really random" bits to generate a "really random" number.

However, if you generate a fast series of keys (or other random numbers), you quickly use up all of the "really random" bits that the RNG has cached, and you only have the PRNG on your side, and therefor the key is merely "pseudo random". TFA is an attack on the "psuedo random" portion of the Windows RNG.

Interestingly, the much-reviewed TrueCrypt engine seems to slow to a crawl if you create a bunch of files (and therefore keys) in a hurry - presumably it has an RNG that actually blocks waiting until it has enough new "really random" bits for each new key. This is a cool idea for a crypto library, but not usable for a general-purpose RNG, which suggests that the system libraries should probably provide *two* RNGs.

what. the. fuck. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21324411)

i took a shit this morning and, no joke, my shit was blue.

better than red i guess.

Yer killin' me (1, Insightful)

$RANDOMLUSER (804576) | more than 6 years ago | (#21324427)

They recommend that Microsoft publish the code of their random number generators as well as of other elements of the Windows security system to enable computer security experts outside Microsoft to evaluate their effectiveness.
AHAHAHAHAHA
snort. please. stop.
HA HA HA HA HA HA HA HA
No. Really. It hurts.
AHAHAHAHAHAHAHA goomph.

Re:Yer killin' me (1)

ackthpt (218170) | more than 6 years ago | (#21325091)

Seriously. It's a one two comedy punch. If they can't do a secure random number generator, that calls into question the whole damn operating system.

Perhaps it was the Randumb generator they included.

loophole in corepirate nazi hypenosys (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21324445)

Ministry in the Last Days

3:1 But understand this, that in the last days difficult 1 times will come. 3:2 For people 2 will be lovers of themselves, 3 lovers of money, boastful, arrogant, blasphemers, disobedient to parents, ungrateful, unholy, 3:3 unloving, irreconcilable, slanderers, without self-control, savage, opposed to what is good, 3:4 treacherous, reckless, conceited, loving pleasure rather than loving God. 3:5 They will maintain the outward appearance 4 of religion but will have repudiated its power. So avoid people like these. 5 3:6 For some of these insinuate themselves 6 into households and captivate weak women 7 who are overwhelmed with sins and led along by various passions. 3:7 Such women are always seeking instruction, 8 yet never able to arrive at a knowledge of the truth. 3:8 And just as Jannes and Jambres 9 opposed Moses, so these people - who have warped minds and are disqualified in the faith 10 - also oppose the truth. 3:9 But they will not go much further, 11 for their foolishness will be obvious to everyone, just like it was with Jannes and Jambres. 12
Continue in What You Have Learned

3:10 You, however, 13 have followed my teaching, my 14 way of life, my purpose, my faith, my patience, my love, my endurance, 3:11 as well as the persecutions and sufferings 15 that happened to me in Antioch, 16 in Iconium, and in Lystra. 17 I endured these persecutions and the Lord delivered me from them all. 3:12 Now in fact all who want to live godly lives in Christ Jesus will be persecuted. 3:13 But evil people and charlatans will go from bad to worse, 18 deceiving others and being deceived themselves. 19 3:14 You, however, must continue 20 in the things you have learned and are confident about. You know 21 who taught you 22 3:15 and how from infancy you have known the holy writings, which are able to give you wisdom for salvation through faith in Christ Jesus. 3:16 Every scripture 23 is inspired by God 24 and useful for teaching, for reproof, 25 for correction, and for training in righteousness, 3:17 that the person dedicated to God 26 may be capable 27 and equipped for every good work.

Seed time (2, Interesting)

EaglemanBSA (950534) | more than 6 years ago | (#21324459)

How accurate would they have to be with predicting the generator seed times for the keys to work? Would that be a hitch? I'm not an expert in the field, so I honestly don't know.

Re:Seed time (4, Informative)

EaglemanBSA (950534) | more than 6 years ago | (#21324723)

Looks like if you can use their method to find the current state fast enough, windows doesn't do a great job of reseeding very quickly: I read through the PDF and found this comparison of the LRNG to WRNG (p. 18) - "Reseeding timeout. The LRNG is feeding the state with system based entropy in every iteration and whenever system events happen, while the WRNG is reseeding its state only after generating 128 KBytes of output. Synchronization. The collection of entropy in the LRNG is asynchronous: whenever there is an entropy event the data is accumulated in the state of the generator. In the WRNG the entropy is collected only for a short period of time before the state is reseeded. In the long period between reseedings there is no entropy collection. Security implication: The impact of the previous four properties is that forward and backward security attacks are more severe when applied to the WRNG. The attacks are more e±cient by twelve orders of magnitude. They reveal the outputs of the generator between consecutive reseedings, and these reseedings are much more rare in the case of the WRNG. In some cases, reseeding the LRNG happens every few seconds, while the WRNG is reseeded every few days, if it is reseeded at all."

Re:Seed time (1)

Tacvek (948259) | more than 6 years ago | (#21325297)

What Linux RNG are they talking about? My understanding is that the output of /dev/random is fully random under the condition that the kernel has not overestimated the entropy of any of the inputs, and the mixing function works properly.

Huh? (2, Insightful)

mrseigen (518390) | more than 6 years ago | (#21324481)

Maybe it's just me, but I didn't think anyone would be stupid enough to use rand for SSL like the article is implying.

From what I can see, this is an old article anyway.

Re:Huh? (5, Funny)

Mantaar (1139339) | more than 6 years ago | (#21324557)

From TFA:

Date: received 4 Nov 2007

Old indeed. 8 days. That's a lot, Microsoft might have already fixed it, you see, they fix things fast!

Re:Huh? (1)

plague3106 (71849) | more than 6 years ago | (#21324665)

Honestly they could have already; they ASSUME the same fault is in XP and higher. Not a great assumption.

Re:Huh? (1)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#21324973)

Considering that Windows 2000 is still used by at about as many people as use Vista, I don't think it matters whether they've fixed it in XP or not. They've still got to answer to all the 2000 users.

Where's the white noise generator? (4, Interesting)

tjstork (137384) | more than 6 years ago | (#21324537)

I am still at a loss to wonder why a PC does not have a white noise generator built into it yet. Even the best random number algorithms are pseudo random, so blasting Microsoft for their algorithm is a little like blasting the kid for not carrying enough of a bucket when the dam is the thing that broke.

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.

Re:Where's the white noise generator? (1)

CRCulver (715279) | more than 6 years ago | (#21324609)

If you want to pay a little more than what bargain-basement PCs cost, many common chipsets already have a nice hardware RNG and have for years now.

Re:Where's the white noise generator? (3, Informative)

palladiate (1018086) | more than 6 years ago | (#21324877)

No, Intel no longer provides a hardware RNG on most chipsets. The last is the i810.

Some AMD64 chipsets still do though. You generally don't find hardware RNG on any chipset below the "Major Enterprise Purchase" mark.

Which could be bettered, easily.

Re:Where's the white noise generator? (5, Funny)

OrangeCowHide (810076) | more than 6 years ago | (#21324921)

A white noise generator? Bah... What systems need are pop-o-matic bubbles with m * 2^n sided dice to generate m * n bits. It could even put a window up saying, "The entropy pool is depleted. Please press the pop-o-matic bubble to generate more."

That would be awesome

Re:Where's the white noise generator? (2, Informative)

pesc (147035) | more than 6 years ago | (#21324955)

Like the VIA C3 [via.com.tw] processor?

Re:Where's the white noise generator? (4, Informative)

palladiate (1018086) | more than 6 years ago | (#21325021)

The Commodore had one too, on the sound chip. The old P3 i810 and VIA C3 chipsets had RNGs built in. They relied on thermal noise. Some AMD chipsets still have it. But for the most part, no modern motherboard comes integrated with a hardware RNG.

Re:Where's the white noise generator? (1)

CarpetShark (865376) | more than 6 years ago | (#21325079)

Put white noise hardware and real random number hardware on PCs, and this whole problem goes away.


How do these work? Electromagnetics? Background radiation? Quantum unknowns? Even without being a physicist, I can imagine flaws in systems based on most of these.

Re:Where's the white noise generator? (2, Informative)

mkendall (69179) | more than 6 years ago | (#21325397)

How do these work? Electromagnetics? Background radiation? Quantum unknowns?

Shot noise in diodes under reverse breakdown is a typical way to generate noise.

Re:Where's the white noise generator? (1)

Ephemeriis (315124) | more than 6 years ago | (#21325299)

I know that there are plenty of machines out there that come with hardware RNG at reasonable prices... But is that even necessary?

I've seen software that tracks mouse movements for a while when generating random numbers, couldn't something similar be done through the OS itself? Couldn't you use mouse movement, keyboard input, sound and video output, etc. as your RNG? Wouldn't that be almost as good as a truly random number generator?

Or is there some obvious flaw in such a scheme which keeps it from being used?

Re:Where's the white noise generator? (1)

Darkforge (28199) | more than 6 years ago | (#21325427)

Mouse movements and keystroke latency are OK for consumer grade encryption keys (though, note that they are normally just a seed for a pseudo-randomizer) you can't really use them on headless servers, which is where most of the important (i.e. high financial value) encryption takes place.

Re:Where's the white noise generator? (1)

xZgf6xHx2uhoAj9D (1160707) | more than 6 years ago | (#21325447)

That's exactly the approach Linux uses with /dev/random (not to be confused with /dev/urandom): the kernel uses the timings between I/O interrupts (key strokes, hard drive seeks, etc.) to build up entropy. I'm no expert on the matter, but I believe people when they say it's good enough for crypto.

So far as I can tell, the only benefit over a thermal noise source over that scheme is that thermal noise gives you a pretty good and constant supply. If you're hitting /dev/random often, it's not hard to get it to block while it waits for more entropy.

USB Hardware RND (4, Interesting)

CustomDesigned (250089) | more than 6 years ago | (#21325431)

Buy one of those $25 toy digital cameras. Keep the lens cap on, or put black tape over the lens. Connect to USB port. Add script to snap a "picture" every few minutes to prng. (Is there a way for userland to feed entropy to kernel based /dev/random?) With no light, digital cameras return thermal noise - which looks like "snow" on an analog TV. I've done this with a toy camera I bought for my daughter. The camera feeds raw pixels to the linux driver, and the post processing done by the Windows software was never implemented in Linux, making it useless as a camera (plus it has 256M ram, but no flash memory). But it works great for this application. I haven't done a mathematical analysis of exactly how much entropy is in the signal. I'll leave that for the stat geeks.

I got the idea from a project that used a webcam snapping pictures of a Lava Lamp® as a hardware RNG.

The Vista RNG (5, Funny)

Anonymous Coward | more than 6 years ago | (#21324539)

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable.

Your system must meet the requirements to be able to run the Windows Random Number Generator on Vista. Otherwise, you will need to use Windows Number Generator Basic. The only number WNGB can generate is 4.

Re:The Vista RNG (4, Funny)

eln (21727) | more than 6 years ago | (#21324697)

Yes, but that 4 was generated via a fair dice roll, and is guaranteed to be random. You can't say that about the numbers the Vista RNG spits out. So you see, what the WNGB lacks in quantity it makes up for in quality.

Re:The Vista RNG (1)

JCSoRocks (1142053) | more than 6 years ago | (#21324715)

I've got Vista and I've found a way to fix this problem and keep your numbers nice and random. I just used a piece of string attached to one of my fans to swing a big magnet over the top of my memory. It's great. Although... my computer keeps on giving me these weird corruption errors and then crashing.

Re:The Vista RNG (4, Informative)

secPM_MS (1081961) | more than 6 years ago | (#21325139)

The random number generator for XP and 2K3 server was substantially improved over that of Win 2000. Additional work was done for Vista. These systems are used in highly secure military deployments and due to its importance to system security, the random number generator was subjected to extensive analysis and was updated to deal with issues uncovered. When evaluating "random number generators" you need to consider not only the "random number" generator, but entropy harvesting from the system and other issues relating to usage. I assume the bulk of the readers are not MS developers, but if you need a good random number on a Windows platform, call CryptGenRandom. Equivalent functionality is provided for managed code as well.

Win 2K is a very legacy product and its crypto functionality is very limited compared to 2K3 and Vista.

Re:The Vista RNG (1, Troll)

John Hasler (414242) | more than 6 years ago | (#21325401)

> The random number generator for XP and 2K3 server was substantially improved over that
> of Win 2000.

You know this, of course, because you have reviewed the source code.

Re:The Vista RNG (1)

ale_ryu (1102077) | more than 6 years ago | (#21325461)

Reminds me of Dirk Gently's I ching calculator:

'The electronic I Ching calculator was badly made. It had probably been manufactured in whichever of the South-East Asian countries was busy tooling up to do to South Korea what South Korea was busy doing to Japan. Glue technology had obviously not progressed in that country to the point where things could be successfully held together with it. Already the back had half fallen off and needed to be stuck back on with Sellotape.'
'It was much like an ordinary pocket calculator, except that the LCD screen was a little larger than usual, in order to accommodate the abridged judgments of King Wen on each of the sixty-four hexagrams, and also the commentaries of his son, the Duke of Chou, on each of the lines of the hexagram. These were unusual texts to see marching across the display of a pocket calculator, particularly as they had been translated from the Chinese via the Japanese and seemed to have enjoyed many adventures on the way.'

'The device also functioned as an ordinary calculator, but only to a limited degree. It could handle any calculation which returned an answer of anything up to "4".'

'"1 + 1" it could manage ("2"), and "1 + 2" ("3") and "2 + 2" ("4") or "tan 74" ("3.4874145"), but anything above "4" it represented merely as "A Suffusion of Yellow". Dirk was not certain if this was a programming error or an insight beyond his ability to fathom, but he was crazy about it anyway, enough to hand over £20 of ready cash for the thing.'


Novell (5, Funny)

Anonymous Coward | more than 6 years ago | (#21324553)

In other news, Miguel de Icaza said that he believes that the random number generator is a good idea. Linux should have one because Microsoft is going to win anyway, so linux would better be prepared if it doesn't want to be locked out of the future markets, and presented a beta version of the algorithm. Members of the GNOME foundation are participating in the standarization: ''it's better to provide our own insecure random number generator'' said ownen taylor.

What is the scope of potential attacks? (1)

argent (18001) | more than 6 years ago | (#21324555)

The abstract made me think that this was akin to the sequence number prediction problems in older TCP implementations, but it doesn't seem that this provides much opportunity for a remote attack. What is teh actual scope of the problem, how could this be practically used in an exploit?

Yes, actually. The cat does "got my tongue." (1)

Impy the Impiuos Imp (442658) | more than 6 years ago | (#21324567)

I thought of doing something like this years ago for EverQuest. Presume it used the standard random number generator as published by Knuth, among others. Get a series, then crank through seeds until you found the sequence that matched it, done.

Never got beyond the thought stage because the problem was that those random values were probably shared amongst many clients, and thus it would be impossible to get a pure sequence without losing some values to other clients. And this assumes such a calculation would be doable in something less than many times the age of the universe. But in theory it could have worked.

Then just wait for a high string of good hits to be in the pipeline, and jump into battle.

Re:Yes, actually. The cat does "got my tongue." (2, Informative)

roguetrick (1147853) | more than 6 years ago | (#21324671)

Now if only we had a plan for getting a girlfriend. And I don't mean Flargina the Elf, because from what I hear, shes packing something and its not a bow.

Re:Yes, actually. The cat does "got my tongue." (2, Informative)

Cheesey (70139) | more than 6 years ago | (#21325015)

That sort of attack could probably be used against online Nethack servers such as nethack.alt.org. You could predict what set of items you'd get if you generated a character at a specific value of time(NULL). You'd also be able to predict the future for that character. You'd try out sequences of moves on your PC, and then send the sequence that got you the best results.

Unfortunately extra non-determinism would be introduced by bones files, and you'd get a new random sequence if you logged out. The server admin could also stop this attack quite easily by sourcing random data (or just the seed) from /dev/urandom. (They might already be doing that.)

Spearmen (2, Funny)

Anonymous Coward | more than 6 years ago | (#21324599)

So that's why my tanks and battleships always lose to spearmen.

M$, your code sucks... (1)

forestbrooke (1171427) | more than 6 years ago | (#21324601)

so, open it up... let some 'real' developers look at it! (not a bait, but i guess that is the essence?) 'open source' windows!

they assume? (1)

pak9rabid (1011935) | more than 6 years ago | (#21324613)

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

And what happens when we make assumptions? we make an ass of me, and you make more money [google.com]

Re:they assume? (1)

Tetsujin (103070) | more than 6 years ago | (#21325199)

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators and may also be vulnerable. The full text of the paper is available in PDF format."

And what happens when we make assumptions? we make an ass of me, and you make more money [google.com]
Uh, no... When you make an assumption, you make an ass of you and Mption...

Fixed in Vista? (5, Insightful)

adonoman (624929) | more than 6 years ago | (#21324623)

http://msdn.microsoft.com/msdnmag/issues/07/07/Security/default.aspx [microsoft.com] has the new API, including a RNG

that meets Federal Information Processing Standards (FIPS) for use with the Digital Signature Algorithm (DSA).
There's a lot I don't like about Vista, but for security researchers to "assume that XP and Vista use similar random number generators and may also be vulnerable" without a basic google search is a bit much!

Re:Fixed in Vista? (3, Interesting)

CastrTroy (595695) | more than 6 years ago | (#21324947)

Just because they have a new API for getting the random numbers, it doesn't mean that they are using different algorithms for generating those random numbers. Also, they much still have the old APIs in there, otherwise, a lot of programs would fail to work. Since most of the software out there was written pre-Vista, and written to run on Vista, XP, and 2000, it's conceivable that applications on these operating systems are using the vulnerable code.

Publication iffy (3, Insightful)

cdrguru (88047) | more than 6 years ago | (#21324639)

The only benefit that could possibly be derived by publishing algorithms and/or code for Windows security would be if (a) changes proposed would be implemented quickly and (b) everyone planet-wide upgraded.

If both of these did not happen, especially if (b) didn't happen, what you would be doing is exposing all non-upgrading users to the full brunt of whatever flaws their might be. Would this really be productive? Does this remind you of various failures in Linux code that led to rootkits being developed for it. Did the victims of such attacks think it was all for the best because they didn't upgrade in a timely manner?

Yes, relying on people not reverse-engineering code to protect users isn't a great plan. But the current situation - as regrettable as it is - is this is the only plan. There are no fallbacks, there are no alternatives. Most of the running copies of Windows aren't going to be "fixed" in any way whatsoever.

Re:Publication iffy (1)

sunami (751539) | more than 6 years ago | (#21324757)

If both of these did not happen, especially if (b) didn't happen, what you would be doing is exposing all non-upgrading users to the full brunt of whatever flaws their might be.

Which just happened. And was pretty much inevitable to happen assuming it wasn't bulletproof from the start. Only now, it's "there's a flaw" rather than "here's a way to fix the flaw!"

Re:Publication iffy (2, Informative)

IkeTo (27776) | more than 6 years ago | (#21325225)

This sounds *really* wrong. You can say white-hats should have waited for a few days or even a few weeks after notifying the vendors before disclosing problems, but they should be disclosed eventually, and should be disclosed after giving vendors a reasonable amount of time. There bound to be people not upgrading their Windows, and there bound to be people not upgrading their Redhat or Fedora or Ubuntu or SuSE or FreeBSD or whatever operating system you name (not to mention whatever Firewalls, protocols, applications, etc, etc you name). So we shouldn't be disclosing any vulnerability about any of those?! Who, then, know that their software is vulnerable to black-hats and needs upgrading, and who, then, know which software vendor is more trust-worthy for providing secure software or providing rapid response to security issues? And, more importantly, how developers can learn from the others' mistakes and start writing secure code?

Ballmer knows (0)

Anonymous Coward | more than 6 years ago | (#21324695)

"The team found a way to decipher how the number generator works, and thus compute previous and future encryption keys used by the computer, and eavesdrop on private communication."

See?! Windows has had a pseudo-Time Machine all along. :D

Go Microsoft!!

huh? (1)

deftones_325 (1159693) | more than 6 years ago | (#21324787)

I can't even read past where some educated people try to recommend to M$ that they open up some of thier double-super-secret source code. Imagine the possibilities and good things that could happen if they did that. Its just that kind of rational thinking that makes the developers at microsoft upset. How dare anyone suggest it could be done better.

Pluggable Cryptomodules (1)

gimli (48730) | more than 6 years ago | (#21324833)

Hi,

I would suggest pluggable Crypto. So you can choose your own trusted Crypto provider in your operating system. This way anyone who likes peer reviewed opensource crypto can just plug it into M$ windows and doesn't need to rely on proprietary crap^H^Hypto.

Regards,
Holger

Re:Pluggable Cryptomodules (1, Informative)

Anonymous Coward | more than 6 years ago | (#21325411)

Well your wish has been granted. The Windows Vista cryptography API (CNG) provides just this kind of functionality.

From the MSDN page on CNG features [microsoft.com]:

Another improvement that CNG provides is the ability to replace the default random number generator (RNG). In CryptoAPI, it is possible to provide an alternate RNG as part of a cryptographic service provider (CSP), but it is not possible to redirect the Microsoft Base CSPs to use another RNG. CNG makes it possible to explicitly specify a particular RNG to use within particular calls.

It seems that the CNG is very extensible. You can add new RNGs, encryption providers, hashing algorithms, etc.

Don't newer cpus have TRNG builtin? (1)

jmichaelg (148257) | more than 6 years ago | (#21324913)

I thought that True Random Number Generators had been built into all newer CPUs. It appears, after a quick Google search, that's not the case. Via provides a TRNG on their C3, AMD provides one on their Geode processor, and Intel provides one on their "Firmware Hub." What's not clear to me is why, given the obvious need for a TRNG, Intel and AMD haven't incorporated one into the mainstream x-86 architecture.

Re:Don't newer cpus have TRNG builtin? (1)

palladiate (1018086) | more than 6 years ago | (#21325107)

You're slightly mistaken.

Intel only provided RNG on the 810 series of chipsets, and that was the Pentium 3 generation. The VIA C3 is of the same generation of chipsets, nothing faster than a 1.4 ghz processor. AMD does provide a path, but it's an optional part of the chipset, and not universally supported.

There used to be more ubiquitous hardware RNG.

Here's the thinking in Redmont (1)

Frantactical Fruke (226841) | more than 6 years ago | (#21324923)

Um, our programmers are all in conference negotiating the next shutdown dialog, but we have plenty of spare lawyers, so we'll fix this problem with a DMCA law suit in 5, 4, 3, 2...

Similar but different? (3, Interesting)

QuietLagoon (813062) | more than 6 years ago | (#21324939)

I wonder if this [coredump.cx] is a similar problem?

Re:Similar but different? (1)

DuctTape (101304) | more than 6 years ago | (#21325353)

I saw Windows, IRIX, Netware, Cisco IOS, Solaris, *BSD family, MacOS X, UNICOS, Tru64, HPUX, OS/400, NextSTEP, AIX, OpenVMS, and OS9. No Linux in there? Or am I missing something?

DT

Is there a list of slots machines that run windows (5, Funny)

Joe The Dragon (967727) | more than 6 years ago | (#21324997)

Is there a list of slots machines that run windows?

Re:Is there a list of slots machines that run wind (0)

Anonymous Coward | more than 6 years ago | (#21325385)

Multimedia Games bingo slots. (I saw one in a casino that had exited to the desktop, it looked to be running a version of Windows XP.)

Some of the Multimedia Games bingo slots are apparently even retrofits for some older WMS Games slots (such as Jackpot Party, Instant Winner) among any others.

However, it seems like those slots get their bingo card results from numbers drawn from a central computer, rather than an on-chip random number generator on the actual machine. Either way, the bingo card results appear to determine the actual reel spin result, so it's like the machine is practically showing the virtual reel result by using a bingo card, before spinning the reels.

Solution (1)

PPH (736903) | more than 6 years ago | (#21325047)

Use Excel. Its solutions appear to be far less predictable than the current RNG.

Wait wait wait... (1)

SailorSpork (1080153) | more than 6 years ago | (#21325075)

Although they only checked Windows 2000, they assume that XP and Vista use similar random number generators

That's a hell of an assumption to make. Wherein Win2k probably had a semi reasonable (if apparently crackable) random number generator, Vista probably has a confused gnome inside that's hit on the head and presented with a keyboard when a random number is requested. It then needs to connect to the internet and report my name, hardware configuration, IP, SSN and 3 credit card numbers to the Windows Genuine Disadvantage hive mind in Redmond to ensure that I paid for a version of windows that is authorized to include the Random Gnome (R) (TM), or if I should pay more to upgrade to Random Gnome Ultimate.

Trolling... (1)

squizzar (1031726) | more than 6 years ago | (#21325335)

I suggest using the uptime of the previous session as a random number generator. Of course the numbers would always be small, but at least they'd be completely random...

Vista is safe! (1)

LingNoi (1066278) | more than 6 years ago | (#21325355)

<sarcasm>Don't worry! I spoke to a MS rep and they told me that Windows Vista was the most secure operating system available!</sarcasm>

Oblig Dilbert (1)

BlueParrot (965239) | more than 6 years ago | (#21325377)

Troll: "nine,nine,nine,nine,nine,nine,nine,nine,nine,nine,nine..."
Dilbert: "Are you sure that is random?"
Troll: "That's the thing with random numbers, you can never be sure... nine,nine,nine,nine,nine..."

idiots (0)

Anonymous Coward | more than 6 years ago | (#21325415)

if they know how it works and thus can predict it why can they only guess that it's the same code in xp and vista? like any experiment, once your assumption is proven correct in one experiment you should be able to predict the outcome in all experiments.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...