Please support VectorLinux!

Author Topic: Windows PRNG loophole  (Read 1448 times)

easuter

  • Global Moderator
  • Vectorian
  • *****
  • Posts: 2160
Windows PRNG loophole
« on: November 13, 2007, 01:42:47 pm »
A loophole in Window's Pseudo Random Number Generator (PRGN) has been found. Apparently it is possible to discover past and even future numbers that the will be generated. This means that encryption keys created using the Windows PRNG can be discovered.
Security by obscurity doesn't work, how much proof does MS need?   ::)

http://www.eurekalert.org/pub_releases/2007-11/uoh-slf111207.php

And the paper itself: http://eprint.iacr.org/2007/419

exeterdad

  • Packager
  • Vectorian
  • ****
  • Posts: 2046
Re: Windows PRNG loophole
« Reply #1 on: November 13, 2007, 02:28:21 pm »
Quote
Their conclusion is that Microsoft needs to improve the way it encodes information. They recommend that Microsoft publish the code of their random number generators as well as of other elements of the "Windows" security system to enable computer security experts outside Microsoft to evaluate their effectiveness.

And equip hackers with what they need as well.

easuter

  • Global Moderator
  • Vectorian
  • *****
  • Posts: 2160
Re: Windows PRNG loophole
« Reply #2 on: November 14, 2007, 12:36:55 am »
Quote
And equip hackers with what they need as well.

Hacker already have what they need: an implementation of the WPRNG is in that paper, not to mention a full description of how it works.
What they meant is they want MS to open-source it, so the loophole can be quickly fixed.