CryptGenRandom
CryptGenRandom is a function that is included in . In programs, Microsoft recommends its use anywhere random number generation is needed. A 2007 paper from Hebrew University suggested security problems in the implementation of CryptGenRandom (assuming the attacker has control of the machine). Microsoft later acknowledged that the same problems exist in , but not in . Microsoft released a fix for the bug with Windows XP Service Pack 3 in mid-2008.
Contents
Background
The includes comprehensive support for cryptographic security, including native support (via the SCHANNEL API) and code signing. These capabilities are built on native Windows libraries for cryptographic operations, such as and AES key generation. These libraries in turn rely on a (CSPRNG). CryptGenRandom is the standard CSPRNG for the Win32 programming environment.
Method of operation
Microsoft-provided cryptography providers share the same implementation of CryptGenRandom, currently based on an internal called RtlGenRandom. Only a general outline of the algorithm had been published :
<blockquote> [RtlGenRandom] generates as specified in 186-2 appendix 3.1 with SHA-1 as the G function. And with entropy from:
- The current process ID (GetCurrentProcessID).
- The current thread ID (GetCurrentThreadID).
- The tick count since boot time (GetTickCount).
- The current time (GetLocalTime).
- Various high-precision performance counters (QueryPerformanceCounter).
- An MD4 hash of the user’s environment block, which includes username, computer name, and search path. <nowiki>[…]</nowiki>
- High-precision internal CPU counters, such as RDTSC, RDMSR, RDPMC
<nowiki>[</nowiki>omitted: long lists of low-level system information fields and performance counters<nowiki>]</nowiki>
</blockquote>
Security
The security of a cryptosystem’s CSPRNG is significant because it is the origin for dynamic key material. Keys needed “on the fly”, such as the AES TLS session keys that protect sessions with bank websites, originate from CSPRNGs. If these pseudorandom numbers are predictable, session keys are predictable as well. Because CryptGenRandom is the de facto standard CSPRNG in Win32 environments, its security is critical for Windows users.
The specifics of CryptGenRandom’s algorithm have not been officially published. As with any unpublished random number generation algorithm, it may be susceptible to theoretical weaknesses including the use of outdated algorithms, and a reliance for gathering on several monotonically-increasing counters that might be estimated or controlled to an extent by an attacker with local access to the system.
Cryptanalysis
A of CryptGenRandom, published in November 2007 by Leo Dorrendorf and others from the and , found significant weaknesses in the implementation of the algorithm.
To take advantage of the vulnerability, an attacker would first need to compromise the program running the random number generator. The weaknesses in the paper all depend on an attacker siphoning the state bits out of the generator. An attacker in a position to carry out this attack would typically already be in a position to defeat any random number generator (for instance, they can simply sniff the outputs of the generator, or fix them in memory to known values). However, the Hebrew University team notes that an attacker only need steal the state bits once in order to persistently violate the security of a CryptGenRandom instance. They can also use the information they glean to determine past random numbers that were generated, potentially compromising information, such as credit card numbers, already sent.
The paper’s attacks are based on the fact that CryptGenRandom uses the stream cipher , which can be run backwards once its state is known. They also take advantage of the fact that CryptGenRandom runs in , allowing anyone who gains access to the operating system at user level, for example by exploiting a , to get CryptGenRandom’s state information for that process. Finally, CryptGenRandom refreshes its seed from infrequently. This problem is aggravated by the fact that each Win32 process has its own instance of CryptGenRandom state; while this means that a compromise of one process does not transitively compromise every other process, it may also increase the longevity of any successful break.
Because the details of the CryptGenRandom algorithm are not public, Dorrendorf’s team used tools to discern how the algorithm works. Their paper is the first published record of how the Windows cryptographic random number generator operates.
Common Criteria
Windows 2000, XP and 2003 have all successfully undergone EAL4+ evaluations, including the CryptGenRandom() and FIPSGenRandom() implementations. The Security Target documentation is available at the Common Criteria Portal, and indicates compliance with the EAL4 requirements. Few conclusions can be drawn about the security of the algorithm as a result; EAL4 measures products against best practices and stated security objectives, but rarely involves in-depth cryptanalysis.
FIPS validation
Microsoft has obtained validation of its RNG implementations in the following environments:
- Windows Vista RNG implementations (certificate 321)
- Windows 2003 Enhanced Cryptographic Provider (rsaenh.dll) (certificate 316)
Alternatives
API level
Windows developers have several alternative means of accessing the CryptGenRandom functionality; these alternatives invoke the same algorithm and share the same security characteristics, but may have other advantages.
Using RtlGenRandom
<blockquote> “Historically, we always told developers not to use functions such as rand to generate keys, nonces and passwords, rather they should use functions like CryptGenRandom, which creates cryptographically secure random numbers. The problem with CryptGenRandom is you need to pull in CryptoAPI (CryptAcquireContext and such) which is fine if you’re using other crypto functions.
On a default Windows XP and later install, CryptGenRandom calls into a function named ADVAPI32!RtlGenRandom, which does not require you load all the CryptAPI stuff. In fact, the new CRT function, rand_s calls RtlGenRandom”. </blockquote>
Using RNGCryptoServiceProvider
Programmers using should use the RNGCryptoServiceProvider Class.
Programming languages
- the Microsoft C++ library function rand_s uses RtlGenRandom and is recommended by Microsoft for secure applications.
- the Python function urandom in the os module, which uses on systems, calls CryptGenRandom on Windows systems.
- the JCA Provider “SunMSCAPI” available with OpenJDK and Oracle distributions of the JRE on Windows provides a SecureRandom implementation with the algorithm name Windows-PRNG. This class forwards all queries for random or seed bytes as well as setting additional seed bytes to native CryptGenRandom.
See Also on BitcoinWiki
- – the approximate equivalent of CryptGenRandom in and the
- – a randomness source in most kernels