Cryptanalysis of the random number generator of the Windows operating system-Reference-Cited by-同舟云学术

Cryptanalysis of the random number generator of the Windows operating system

Published:2009-10 Issue:1 Volume:13 Page:1-32
ISSN:1094-9224
Container-title:ACM Transactions on Information and System Security
language:en
Short-container-title:ACM Trans. Inf. Syst. Secur.

Author:

Dorrendorf Leo¹,Gutterman Zvi¹,Pinkas Benny²

Affiliation:

1. The Hebrew University of Jerusalem

2. University of Haifa

Abstract

The PseudoRandom Number Generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudorandomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000. This investigation was done without any help from Microsoft. We reconstructed the algorithm used by the pseudorandom number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a nontrivial attack: Given the internal state of the generator, the previous state can be computed in 2 23 steps. This attack on forward security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. After our analysis was published, Microsoft acknowledged that Windows XP is vulnerable to the same attack. We also analyzed the way in which the generator is used by the operating system and found that it amplifies the effect of the attack: The generator is run in user mode rather than in kernel mode; therefore, it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called. Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system-generated entropy only after generating 128KB of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128KB of the past and future output of the generator. The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operations. This attack is more severe and more efficient than known attacks in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/1609956.1609966

Reference26 articles.

1. A model and architecture for pseudo-random generation with applications to /dev/random

2. Beaver D. and Haber S. 1992. Cryptographic protocols provably secure against dynamic adversaries. In Advances in Cryptology (EUROCRYPT'92). Springer-Verlag Berlin 307--323. Beaver D. and Haber S. 1992. Cryptographic protocols provably secure against dynamic adversaries. In Advances in Cryptology (EUROCRYPT'92). Springer-Verlag Berlin 307--323.

3. Blum L. Blum M. and Shub M. 1983. Comparison of two pseudo-random number generators. In Advances in Cryptology (CRYPTO'82). Plenum Press New York 61--78. Blum L. Blum M. and Shub M. 1983. Comparison of two pseudo-random number generators. In Advances in Cryptology (CRYPTO'82). Plenum Press New York 61--78.

4. Bundesamt für Sicherheit in der Informationstechnik. 1999. AIS 20: Functionality classes and evaluation methodology for deterministic random number generators. Tech. rep. https://www.bsi.bund.de/cae/servlet/contentblob/478130/publicationFile/30547/ais31e_pdf.pdf Bundesamt für Sicherheit in der Informationstechnik. 1999. AIS 20: Functionality classes and evaluation methodology for deterministic random number generators. Tech. rep. https://www.bsi.bund.de/cae/servlet/contentblob/478130/publicationFile/30547/ais31e_pdf.pdf

Cited by 52 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A Peripheral-Free True Random Number Generator Based on Integrated Circuits Enabled by Atomically Thin Two-Dimensional Materials;ACS Nano;2023-08-24

2. A TCP-based Covert Channel with Integrity Check and Retransmission;2023 20th Annual International Conference on Privacy, Security and Trust (PST);2023-08-21

3. Real-Time Optimization of a Pseudo-Random Number Generator Using Particle Swarm Optimization Method;Computer Science;2022-09-16

4. A new approach to analyze the independence of statistical tests of randomness;Applied Mathematics and Computation;2022-08

5. Convolution Neural Network-Based Sensitive Security Parameter Identification and Analysis;Wireless Communications and Mobile Computing;2022-04-01