Shortcomings of the Windows PRNG

Leo Dorrendorf, Zvi Gutterman and Benny Pinkas presented interesting research at the ACM CCS 2007 conference lately. An updated version of their paper on attacks against the Windows 2000 PRNG has now appeared on the IACR ePrint archive. Since they only had access to the PRNG DLL binaries, they had to reverse-engineer these first to get started. Their devastating result: The Windows PRNG offers neither forward and backward security, allowing an attacker learning the internal state of the generator to predict 128kBytes of past and future output. The PRNG runs in user-space and each process uses its own instance. If I read the paper correctly, the same PRNG was used for all versions of Windows between Windows 95 up to Windows XP [caveat: they analysed a Windows 2000 build and haven’t practically checked their results against other OS versions yet]. Practically speaking, this means that a successful remote exploit against your browser on these platforms is also in the position to reveal 600-1200 of your past SSL session keys by sending out the internal PRNG state. It remains to be seen whether this carries over to Vista – my rather uneducated guess here is that it does not, but that remains to be seen.

Zvi Gutterman has co-authored a number of interesting papers on PRNGs, namely analyses of the Linux PRNG [ePrint version] and of the Java session ID generation.

[Disclaimer: I met Zvi at the first ECRYPT summer school in Samos back in 2005. Way to go, man, way to go!]

Update [2007-11-22]: Apparently Microsoft has admitted that the same flaw still is present in Windows XP. And of course: No, this is no security vulnerability, according to Microsoft, since the attacker must have had access in the first place. Still they claim that Windows Vista does not exhibit the same mistake. This however has not yet been independently verified.

Leave a Reply