Windows random numbers: Unsafe at any speeed - Linux

This is a discussion on Windows random numbers: Unsafe at any speeed - Linux ; Cryptanalysis of the Random Number Generator of the Windows Operating System http://eprint.iacr.org/2007/419.pdf -- Microsoft? Is that some kind of a toilet paper?...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Windows random numbers: Unsafe at any speeed

  1. Windows random numbers: Unsafe at any speeed

    Cryptanalysis of the Random Number Generator of the Windows
    Operating System

    http://eprint.iacr.org/2007/419.pdf
    --
    Microsoft? Is that some kind of a toilet paper?


  2. Re: Windows random numbers: Unsafe at any speeed

    In comp.os.linux.advocacy, Peter Köhlmann

    wrote
    on Tue, 13 Nov 2007 23:04:12 +0100
    :
    > Cryptanalysis of the Random Number Generator of the Windows
    > Operating System
    >
    > http://eprint.iacr.org/2007/419.pdf


    A few subtleties stand out.

    [1] The acronym "WRNG" -- a dialect variation apparently of
    "PRNG" (for pseudo-random number generator)-- is just plain
    wrong. ;-) Of course, considering that the analysis
    ultimately leads to a possible attack, the Windows
    implementation doesn't appear all that right to begin
    with, especially since uninitialized stack variables are
    incorporated into the state.

    [2] The implementation was closed-source and yet still
    doped out. The code was scattered across maybe 10,000
    lines of pseudo-assembly.[*]

    [3] The Linux variant (logically enough named "LRNG") has
    a flaw which can result in a DoS. However, this flaw is
    comparatively minor, and LRNG is in the kernel, making
    it less accessible to the casual hacker.

    ------
    [*] assembler code which was reverse-engineered from the
    machinecode byte sequence by a disassembler.
    Some compilers put weird things in the byte sequence,
    confusing disassemblers. Disassemblers also have to
    make a best guess as to the labels jumped to, referenced,
    or otherwise needed.

    --
    #191, ewill3@earthlink.net
    Useless C/C++ Programming Idea #10239993:
    char * f(char *p) {char *q = malloc(strlen(p)); strcpy(q,p); return q; }

    --
    Posted via a free Usenet account from http://www.teranews.com


  3. Re: Windows random numbers: Unsafe at any speeed

    ____/ Peter Köhlmann on Tuesday 13 November 2007 22:04 : \____

    > Cryptanalysis of the Random Number Generator of the Windows
    > Operating System
    >
    > http://eprint.iacr.org/2007/419.pdf


    It's not a bug. It's a feature. The FBI needs to know why you're hiding your
    work and communication.

    --
    ~~ Best of wishes

    Roy S. Schestowitz | INQredible Hacktivism
    http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
    23:20:03 up 14 days, 3:18, 2 users, load average: 1.51, 2.17, 2.04
    http://iuron.com - Open Source knowledge engine project

  4. Re: Windows random numbers: Unsafe at any speeed

    After takin' a swig o' grog, Peter Köhlmann belched out this bit o' wisdom:

    > Cryptanalysis of the Random Number Generator of the Windows
    > Operating System
    >
    > http://eprint.iacr.org/2007/419.pdf


    "Efficiency of attacks. The best forward security attack on the LRNG
    (Linux PRNG) requires O(2^64) work. The attack on the forward
    security of the WRNG is therefore more efficient by a factor of
    about 2^40 (it has an overhead of O(2^23) compared to O(2^64))."

    That is on Win 2000, they still have to analyze XP and 2003.

    Anyway, good thing these guys live in Israel. Microsoft would sure show
    them a good time in the U.S.

    --
    Tux rox!

  5. Re: Windows random numbers: Unsafe at any speeed

    After takin' a swig o' grog, Peter Köhlmann belched out this bit o' wisdom:

    > Cryptanalysis of the Random Number Generator of the Windows
    > Operating System
    >
    > http://eprint.iacr.org/2007/419.pdf


    I just used nmap to check a linux box and an XP box using "nmap -O -v".

    Linux box:

    TCP Sequence Prediction: Class=random positive increments
    Difficulty=1437230 (Good luck!)

    Windows XP:

    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)

    I don't have a Win 2000 box to scan, but it looks like Microsoft greatly
    improved the pseudo-random-number generator from 2000 to XP. It's
    better than Linux's it seems.

    On the other hand, OS detection:

    Linux box:

    No exact OS matches for host

    Windows box:

    Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
    OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows
    2003 Server or XP SP2, Microsoft Windows XP SP2

    Ya lose some, ya win some!

    At least Microsoft made some progress.

    --
    Tux rox!

  6. Re: Windows random numbers: Unsafe at any speeed

    Linonut did eloquently scribble:
    > After takin' a swig o' grog, Peter Köhlmann belched out this bit o' wisdom:


    >> Cryptanalysis of the Random Number Generator of the Windows
    >> Operating System
    >>
    >> http://eprint.iacr.org/2007/419.pdf


    > I just used nmap to check a linux box and an XP box using "nmap -O -v".


    > Linux box:


    > TCP Sequence Prediction: Class=random positive increments
    > Difficulty=1437230 (Good luck!)


    > Windows XP:


    > TCP Sequence Prediction: Class=truly random
    > Difficulty=9999999 (Good luck!)


    And just how does nmap know something is truly random compared to random
    increments?

    It's impossible for a computer to determine true randomness, AFAICT

    Did it measure /dev/random or /dev/urandom? If urandom, how
    would issuing a more regular reseed based on /dev/random help the case?

    --
    __________________________________________________ ____________________________
    | spike1@freenet.co.uk | "Are you pondering what I'm pondering Pinky?" |
    |Andrew Halliwell BSc(hons)| |
    | in | "I think so brain, but this time, you control |
    | Computer Science | the Encounter suit, and I'll do the voice..." |
    ------------------------------------------------------------------------------

  7. Re: Windows random numbers: Unsafe at any speeed

    After takin' a swig o' grog, spike1@freenet.co.uk belched out this bit o' wisdom:

    > Linonut did eloquently scribble:
    >> After takin' a swig o' grog, Peter Köhlmann belched out this bit o' wisdom:

    >
    >>> Cryptanalysis of the Random Number Generator of the Windows
    >>> Operating System
    >>>
    >>> http://eprint.iacr.org/2007/419.pdf

    >
    >> I just used nmap to check a linux box and an XP box using "nmap -O -v".

    >
    >> Linux box:

    >
    >> TCP Sequence Prediction: Class=random positive increments
    >> Difficulty=1437230 (Good luck!)

    >
    >> Windows XP:

    >
    >> TCP Sequence Prediction: Class=truly random
    >> Difficulty=9999999 (Good luck!)

    >
    > And just how does nmap know something is truly random compared to random
    > increments?
    >
    > It's impossible for a computer to determine true randomness, AFAICT
    >
    > Did it measure /dev/random or /dev/urandom? If urandom, how
    > would issuing a more regular reseed based on /dev/random help the case?


    It's an interesting question. I assume it takes a large number of
    samples of the TCP sequence number in response packets and then looks
    for clustering of the values over a certain time window.

    I know there are ways of assessing the quality of a random number
    generator. Random numbers are too important to be left to chance.

    I do remember some measurements I took a long time ago on Windows, where
    the "difficulty" was tagged as "trivial".

    Although I'm no fan of Microsoft the company, it is good that their
    technical people do learn some things.

    --
    Tux rox!

  8. Re: Windows random numbers: Unsafe at any speeed

    On 2007-11-13, Peter Köhlmann wrote:
    > Cryptanalysis of the Random Number Generator of the Windows
    > Operating System
    >
    > http://eprint.iacr.org/2007/419.pdf


    That makes a nice companion to this one:



    Two of the three authors of the latter are two of the three authors of
    the former.

    The latter is titled "Analysis of the Linux Random Number Generator".
    Here is the abstract:

    Linux is the most popular open source project. The Linux random
    number generator is part of the kernel of all Linux distributions
    and is based on generating randomness from entropy of operating
    system events. The output of this generator is used for almost every
    security protocol, including TLS/SSL key generation, choosing TCP
    sequence numbers, and file system and email encryption. Although the
    generator is part of an open source project, its source code (about
    2500 lines of code) is poorly documented, and patched with hundreds
    of code patches.

    We used dynamic and static reverse engineering to learn the
    operation of this generator. This paper presents a description of
    the underlying algorithms and exposes several security
    vulnerabilities. In particular, we show an attack on the forward
    security of the generator which enables an adversary who exposes the
    state of the generator to compute previous states and outputs. In
    addition we present a few cryptographic flaws in the design of the
    generator, as well as measurements of the actual entropy collected
    by it, and a critical analysis of the use of the generator in Linux
    distributions on disk-less devices.

    A better random number generator for Linux was submitted a couple years
    ago, based on Fortuna, which gets rid of that whole notion of trying to
    esitmate entropy. See Niels Ferguson and Bruce Schneier, "Practical
    Cryptography" for a detailed discussion of the design of Fortuna and why
    entropy estimation is pointless.

+ Reply to Thread