Microsoft Acknowledges PRNG Bug in Windows XP

Microsoft has finally acknowledged that the vulnerabilities found by Israeli researchers in Windows 2000 also extend to Windows XP. The vulnerabilities involve Windows' pseudo-random number generator (PRNG), a piece of code that generates seemingly random numbers for various uses in the system. I say "seemingly" because you have to trick a deterministic computer to produce numbers that behave like they're random (a trick I studied while an MS student in math many years ago).

In an academic paper published recently (read the PDF here), the researchers described how they recreated the algorithm used by Windows 2000's PRNG, and used that to investigate how it's used in the system. Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol.

The researchers also noted vulnerabilities in the Windows CryptGenRandom function, which calls on the algorithm. This may cause any application using the Windows cryptologic functions to exhibit the vulnerability.

Do you need to use random numbers in your application? And with the Windows PRNG? Let me know if you trust it at pvarhol@redmondmag.com.

Posted by Peter Varhol on November 27, 2007 at 11:57 AM