> It just occurred to me that the registry key
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \RNG\Seed (type
> REG_BINARY) contains the latest seeded value from everything that
> CryptoAPI takes into account when generating its random seed.
> CryptoAPI permutes it with RC4 to come up with a pseudo-random stream,
> but I wonder if it might make sense to try to make use of it the same
> way OpenSSL on UNIX uses /dev/urandom?


No. /dev/urandom returns unique chunk for every read, while accessing
the key in question does not change its value. Therefore it is not
appropriate to use as if it was /dev/urandom. The value is changed upon
calls to CryptoAPI, but then you get random data by CryptoAPI means and
don't need to read the key value. BTW, I fail to understand why does the
seed have to be exposed world-readable. I mean how do we know that
exposing the seed to non-privileged adversary application does not
compromise prng generator for other applications? For reference
tightening ACL to limit access to privileged users does not seem to have
side effects on non-privileged users. A.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org