Entry Dorrendorf:2009:CRN from tissec.bib

Last update: Sun Oct 15 02:58:48 MDT 2017                Valid HTML 3.2!

Index sections

Top | Symbols | Numbers | Math | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

BibTeX entry

@Article{Dorrendorf:2009:CRN,
  author =       "Leo Dorrendorf and Zvi Gutterman and Benny Pinkas",
  title =        "Cryptanalysis of the random number generator of the
                 {Windows} operating system",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "10:1--10:32",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "https://doi.org/10.1145/1609956.1609966",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The PseudoRandom Number Generator (PRNG) used by the
                 Windows operating system is the most commonly used
                 PRNG. The pseudorandomness of the output of this
                 generator is crucial for the security of almost any
                 application running in Windows. Nevertheless, its exact
                 algorithm was never published.\par

                 We examined the binary code of a distribution of
                 Windows 2000. This investigation was done without any
                 help from Microsoft.We reconstructed the algorithm used
                 by the pseudorandom number generator (namely, the
                 function CryptGenRandom). We analyzed the security of
                 the algorithm and found a nontrivial attack: Given the
                 internal state of the generator, the previous state can
                 be computed in 223 steps. This attack on forward
                 security demonstrates that the design of the generator
                 is flawed, since it is well known how to prevent such
                 attacks. After our analysis was published, Microsoft
                 acknowledged that Windows XP is vulnerable to the same
                 attack.\par

                 We also analyzed the way in which the generator is used
                 by the operating system and found that it amplifies the
                 effect of the attack: The generator is run in user mode
                 rather than in kernel mode; therefore, it is easy to
                 access its state even without administrator privileges.
                 The initial values of part of the state of the
                 generator are not set explicitly, but rather are
                 defined by whatever values are present on the stack
                 when the generator is called. Furthermore, each process
                 runs a different copy of the generator, and the state
                 of the generator is refreshed with system-generated
                 entropy only after generating 128KB of output for the
                 process running it. The result of combining this
                 observation with our attack is that learning a single
                 state may reveal 128KB of the past and future output of
                 the generator.\par

                 The implication of these findings is that a buffer
                 overflow attack or a similar attack can be used to
                 learn a single state of the generator, which can then
                 be used to predict all random values, such as SSL keys,
                 used by a process in all its past and future
                 operations. This attack is more severe and more
                 efficient than known attacks in which an attack",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

Related entries