Leo Dorrendorf
Abstract
The PseudoRandom Number Generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudorandomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.
We examined the binary code of a distribution of Windows 2000. This investigation was done without any help from Microsoft. We reconstructed the algorithm used by the pseudorandom number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a nontrivial attack: Given the internal state of the generator, the previous state can be computed in 223 steps. This attack on forward security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. After our analysis was published, Microsoft acknowledged that Windows XP is vulnerable to the same attack.
We also analyzed the way in which the generator is used by the operating system and found that it amplifies the effect of the attack: The generator is run in user mode rather than in kernel mode; therefore, it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called. Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system-generated entropy only after generating 128KB of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128KB of the past and future output of the generator.
The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operations. This attack is more severe and more efficient than known attacks in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.
- Barak, B. and Halevi, S. 2005. An architecture for robust pseudo-random generation and applications to /dev/random. In Proceedings of the ACM Conference on Computing and Communication Security (CCS'05). ACM, New York. Google Scholar
Digital Library
- Beaver, D. and Haber, S. 1992. Cryptographic protocols provably secure against dynamic adversaries. In Advances in Cryptology (EUROCRYPT'92). Springer-Verlag, Berlin, 307--323.Google Scholar
- Bellare, M. and Yee, B. S. 2003. Forward-Security in private-key cryptography. In Proceedings of the Cryptographers' Track RSA Conference (CT-RSA). Springer, Berlin, 1--18. Google ScholarDigital Library
- Blum, L., Blum, M., and Shub, M. 1983. Comparison of two pseudo-random number generators. In Advances in Cryptology (CRYPTO'82). Plenum Press, New York, 61--78.Google Scholar
- Bundesamt für Sicherheit in der Informationstechnik. 1999. AIS 20: Functionality classes and evaluation methodology for deterministic random number generators. Tech. rep. https://www.bsi.bund.de/cae/servlet/contentblob/478130/publicationFile/30547/ais31e_pdf.pdfGoogle Scholar
- Castejon-Amenedo, J. and McCue, R. 2003. Extracting randomness from external interrupts. In Proceedings of the International Conference on Communication, Network, and Information Security. International Association of Science and Technology for Development, Alberta, Canada, 141--146.Google Scholar
- de Raadt, T., Hallqvist, N., Grabowski, A., Keromytis, A. D., and Provos, N. 1999. Cryptography in OpenBSD: An overview. In Proceedings of the Annual USENIX Technical Conference. USENIX, Berkeley, CA, 93--101. Google ScholarDigital Library
- Eilam, E. 2005. Reversing: Secrets of Reverse Engineering. Wiley, New York.Google Scholar
- Ferguson, N. and Schneier, B. 2003. Practical Cryptography. John Wiley&Sons, New York. Google ScholarDigital Library
- Fluhrer, S. R., Mantin, I., and Shamir, A. 2001. Weaknesses in the key scheduling algorithm of RC4. In Proceedings of the 8th Annual International Workshop on Selected Areas in Cryptography (SAC'01). Springer-Verlag, Berlin, 1--24. Google ScholarDigital Library
- Goldberg, I. and Wagner, D. 1996. Randomness in the Netscape browser. Dr. Dobb's J.Google Scholar
- Guilfanov, I. 2006. The IDA Pro Disassembler and Debugger version 5.0. http://www.datarescue.com/idabase.Google Scholar
- Gutmann, P. 1998. Software generation of practically strong random numbers. In Proceedings of 7th USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarDigital Library
- Gutmann, P. 2004. Testing issues with OS-based entropy sources. http://www.cs.auckland.ac.nz/~pgut001/pubs/nist_rng.pdfGoogle Scholar
- Gutterman, Z. and Malkhi, D. 2005. Hold your sessions: An attack on Java session-Id generation. In Proceedings of the Cryptographers' Track RSA Conference (CT-RSA). Springer, Berlin, 44--57. Google ScholarDigital Library
- Gutterman, Z., Pinkas, B., and Reinman, T. 2006. Analysis of the Linux random number generator. In Proceedings of the IEEE Symposium on Security and Privacy Conference. IEEE, Los Alamitos, CA, 371--385. Google ScholarDigital Library
- Howard, M. and LeBlanc, D. 2002. Writing Secure Code, 2nd Ed. Microsoft Press, Redmond, WA. Google ScholarDigital Library
- Kelsey, J. 2004. Entropy and entropy sources in X9.82. http://csrc.nist.gov/CryptoToolkit/RNG/Workshop/EntropySources.pdf.Google Scholar
- Kelsey, J., Schneier, B., and Ferguson, N. 1999. Yarrow-160: Notes on the design and analysis of the Yarrow cryptographic pseudorandom number generator. In Selected Areas in Cryptography. Springer, Berlin, 13--33. Google ScholarDigital Library
- Kelsey, J., Schneier, B., Wagner, D., and Hall, C. 1998. Cryptanalytic Attacks on Pseudorandom Number Generators. In Proceedings of the 5th International Workshop on Fast Software Encryption. Springer, Berlin, 168--188. Google ScholarDigital Library
- Microsoft. 2006. Debugging tools for Windows. http://www.microsoft.com/whdc/devtools/debugging/default.mspx.Google Scholar
- Murray, M. R. V. 2002. An implementation of the Yarrow PRNG for FreeBSD. In Proceedings of BSDCon, S. J. Leffler, Ed. USENIX, Berkeley, CA, 47--53. Google ScholarDigital Library
- Osvik, D. A. 2007. Personal communication.Google Scholar
- Shamir, A. 1981. On the generation of cryptographically strong pseudo-random sequences. In Proceedings of the International Colloquium on Automata, Languages and Programming. Springer, Berlin, 544--550. Google ScholarDigital Library
- Ts'o, T. 1994. random.c | linux kernel random number generator. http://www.kernel.org.Google Scholar
- Yuschuk, O. 2004. OllyDbg 1.1: A 32-bit assembler level analysing debugger for Microsoft Windows. http://www.ollydbg.de/.Google Scholar
Index Terms
- Cryptanalysis of the random number generator of the Windows operating system
Recommendations
Cryptanalysis of the windows random number generator
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityThe pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, ...
The editing generator and its cryptanalysis
In this paper, we present a new pseudo-random sequence generator, constructed by using two ternary linear feedback shift registers (LFSR). This new generator is called an editing generator which is a combined model of the clock-control generator (viewed ...
A Virtual Three-Dimension Cellular Automata Pseudorandom Number Generator Based on the Moore Neighborhood Method
ICIC '08: Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Artificial IntelligenceThe security of a One-time Pad Cryptography system depends on the keystream generator, which has been studied to produce a high randomness quality over the last thirty years. A Cellular Automata (CA) Pseudorandom Number Generator (PRNG) is more ...
Comments