mersenneforum.org  

Go Back   mersenneforum.org > Extra Stuff > Programming

Reply
 
Thread Tools
Old 2012-03-02, 13:38   #1
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default Microsoft CryptGenRandom

I am seeking information about the Microsoft crypto library function
CryptGenRandom. Specifically, I am seeking whether anyone has
vetted this function. The Microsoft crypto RNG had known weaknesses
under Windows XP as of 2007. Does anyone here have any experience?

If I were on Linux I'd use /dev/random. But I have to use a Windows
platform and need a good source of entropy. Low-order bits from
keystroke timings work well, but requires the user to do some typing -->
it is a clumsy interface.
R.D. Silverman is offline   Reply With Quote
Old 2012-03-02, 13:59   #2
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

10111000001102 Posts
Default

TrueCrypt uses mouse movements to increase entropy.

But do you even have a user present? If not then just buy a hardware RNG and plug it into the USB. That is what I do. Although you never specified the generation rate and some of these devices can be quite slow (a few-hundred kb/s for many).

Or wait for the new Intel CPU with RDRAND. Specced to have a rate of 3Gb/s.
retina is online now   Reply With Quote
Old 2012-03-02, 15:00   #3
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default

Quote:
Originally Posted by retina View Post
TrueCrypt uses mouse movements to increase entropy.

But do you even have a user present? If not then just buy a hardware RNG and plug it into the USB. That is what I do. Although you never specified the generation rate and some of these devices can be quite slow (a few-hundred kb/s for many).

Or wait for the new Intel CPU with RDRAND. Specced to have a rate of 3Gb/s.
None of this answers the question that was asked. I am acutely
aware of other options.
R.D. Silverman is offline   Reply With Quote
Old 2012-03-02, 15:22   #4
jasonp
Tribal Bullet
 
jasonp's Avatar
 
Oct 2004

DCC16 Posts
Default

This is a fair current summary of what we know about CryptGenRandom. The authors did decompile the implementation in a later version of windows than XP but only analyzed it enough to conclude many of the code structures were the same as the XP version.

The code in CryptLib for generating random numbers uses somewhat more sources of entropy than are listed in the link, and a later version of the windows API has a few more useful functions that cryptlib lacks (e.g. iterating through the handles of all the windows on your desktop).

Last fiddled with by jasonp on 2012-03-02 at 15:24
jasonp is offline   Reply With Quote
Old 2012-03-03, 03:10   #5
ewmayer
2ω=0
 
ewmayer's Avatar
 
Sep 2002
República de California

3·7·19·29 Posts
Default

Pardon my quite-possible ignorance here, but that strikes me as an awful lot of trouble to go to in order to obtain a source of "genuine noise." Chip designers spend a huge amount of effort to reduce noise in their microcircuitry, but the corollary of that is that there is no lack of well-understood sources of noise in silicon microarchitectures. So why not support genuine crypto-quality RNGs by designing circuit elements specifically to act as sources of "genuine noise"? (E.g. quantum-mechanical shot noise could be one possible such, IIRC my college-undergrad-days lectures on microelectronics.) If it proves hard to make any such element "reliably noisy" in terms of having well-characterized noisiness, stick a bunch of them in and query them during chip testing to select the "good ones", then initialize some hardware-level lookup table to be used by the hardware which supports the crypto-quality RNG functionality. That has got to be much, much faster than iterating over displayed widgets and querying their state and the like.

Perhaps there's some very good reason why the above is not feasible (or perhaps not yet ready for prime time in terms of the needed R&D) - If so, would appreciate a link or summary.
ewmayer is offline   Reply With Quote
Old 2012-03-03, 04:15   #6
Christenson
 
Christenson's Avatar
 
Dec 2010
Monticello

5×359 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
None of this answers the question that was asked. I am acutely
aware of other options.
Your OP doesn't imply that awareness at all...re-read yourself carefully.

Moi, the security history of Microsoft says the API will be fatally insecure.

And we have:
A notable algebraic PRNG is the Mersenne Twister [41]. It is very efficient and
produces high-quality output, usable for any purpose except cryptography: an attacker
can compute its internal state after seeing a series of outputs3.

Last fiddled with by Christenson on 2012-03-03 at 04:30
Christenson is offline   Reply With Quote
Old 2012-03-03, 13:55   #7
jasonp
Tribal Bullet
 
jasonp's Avatar
 
Oct 2004

22×883 Posts
Default

Most likely Bob's intended application is cryptography. Some Intel chips do have a true random number generator, which you may or may not be able to access. Some AMD chips do too, which you probably are not able to access because software support for accessing them has been dismal. There are a ton of papers that describe building a noise source in various hardware platforms, which your customers probably don't have and won't buy. The situation will slowly improve as mass-market chips pick up all the extra features people want as a way to soak up a huge transistor budget.
jasonp is offline   Reply With Quote
Old 2012-03-03, 14:03   #8
R.D. Silverman
 
R.D. Silverman's Avatar
 
Nov 2003

22·5·373 Posts
Default

Quote:
Originally Posted by Christenson View Post


Moi, the security history of Microsoft says the API will be fatally insecure.
Which is why I asked if it had been vetted.

Quote:
And we have:
A notable algebraic PRNG is the Mersenne Twister [41]. It is very efficient and
produces high-quality output, usable for any purpose except cryptography: an attacker
can compute its internal state after seeing a series of outputs3.
And if I wanted to ask about pseudo-rngs I would have done so.
I need a generically available source of noise available on Windows.

Learn to answer the question that was asked.

Last fiddled with by R.D. Silverman on 2012-03-03 at 14:04
R.D. Silverman is offline   Reply With Quote
Old 2012-03-03, 22:49   #9
retina
Undefined
 
retina's Avatar
 
"The unspeakable one"
Jun 2006
My evil lair

2·7·421 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Which is why I asked if it had been vetted.
It being closed source makes any vetting quite pointless. Someone may vet one version only to find that the newer/older versions do things entirely differently.
Quote:
Originally Posted by R.D. Silverman View Post
And if I wanted to ask about pseudo-rngs I would have done so.
Well you did ask about a PRNG, the MS API is a PRNG. So what do you really want?
retina is online now   Reply With Quote
Old 2012-03-03, 23:22   #10
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

3×55 Posts
Default

Quote:
Originally Posted by R.D. Silverman View Post
Learn to answer the question that was asked.
A very good friend of mine gave me a very important bit of advice...

"Be responsible for the listening into which you are speaking."

You need to learn, Dr. Silverman, to be less of a prick if you want people to help you.
chalsall is offline   Reply With Quote
Old 2012-03-03, 23:39   #11
xilman
Bamboozled!
 
xilman's Avatar
 
"𒉺𒌌𒇷𒆷𒀭"
May 2003
Down not across

37×281 Posts
Default

Quote:
Originally Posted by retina View Post
It being closed source makes any vetting quite pointless.
Having played a part in the vetting of some MSFT cryptocode I can assure you that your statement is quite wrong.
xilman is online now   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft Azure GP2 Cloud Computing 8 2017-08-24 01:27
Microsoft ripoff Prime95 Soap Box 14 2009-01-24 10:45
Ghag!... Microsoft... is... killing... me! E_tron Soap Box 10 2006-12-28 12:00
Microsoft xna moo Hardware 0 2006-12-12 01:07
Microsoft Plus XP clowns789 Software 2 2004-08-04 14:45

All times are UTC. The time now is 09:40.

Sat Dec 5 09:40:26 UTC 2020 up 2 days, 5:51, 0 users, load averages: 1.41, 1.49, 1.52

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.