CryptGenRandom

Last updated March 29, 2024

CryptGenRandom is a deprecated^[1] cryptographically secure pseudorandom number generator function that is included in Microsoft CryptoAPI. In Win32 programs, Microsoft recommends its use anywhere random number generation is needed. A 2007 paper from Hebrew University suggested security problems in the Windows 2000 implementation of CryptGenRandom (assuming the attacker has control of the machine). Microsoft later acknowledged that the same problems exist in Windows XP, but not in Vista. Microsoft released a fix for the bug with Windows XP Service Pack 3 in mid-2008.^[2]

Background

The Win32 API includes comprehensive support for cryptographic security, including native TLS support (via the SCHANNEL API) and code signing. These capabilities are built on native Windows libraries for cryptographic operations, such as RSA and AES key generation. These libraries in turn rely on a cryptographically secure pseudorandom number generator (CSPRNG). CryptGenRandom is the standard CSPRNG for the Win32 programming environment.

Method of operation

Before Windows Vista

Microsoft-provided cryptography providers share the same implementation of CryptGenRandom, currently based on an internal function called RtlGenRandom.^[3] Only a general outline of the algorithm had been published as of 2007^[update]:

[RtlGenRandom] generates as specified in FIPS 186-2 appendix 3.1 with SHA-1 as the G function. And with entropy from:
The current process ID (GetCurrentProcessID).
The current thread ID (GetCurrentThreadID).
The tick count since boot time (GetTickCount).
The current time (GetLocalTime).
Various high-precision performance counters (QueryPerformanceCounter).
An MD4 hash of the user's environment block, which includes username, computer name, and search path. [...]
High-precision internal CPU counters, such as RDTSC, RDMSR, RDPMC
[omitted: long lists of low-level system information fields and performance counters]^[4]

Windows Vista and above

Microsoft has documented the implementation of the Windows 10 random number generator in some detail, in a whitepaper published in 2019.^[5] In Windows 10:

There exists a hierarchy of random number generators. The kernel has a "Root" PRNG, from which all randomness is ultimately derived. The kernel then uses the Root PRNG to seed one PRNG per logical processor (so the PRNG state is thread-local and requires no locking). When a process launches, it requests random bytes from the kernel per-processor PRNG to seed its own Process PRNG. It then uses the Process PRNG to also seed one buffered PRNG per logical processor.^[5]
All userspace calls to fetch randomness, be it CryptGenRandom or RtlGenRandom, ultimately fall to ProcessPrng, which returns bytes from the process's per-processor PRNG. The PRNG always uses the AES-CTR-DRBG algorithm as specified by FIPS SP800-90. Although BCryptGenRandom accepts requests for older algorithms for backward compatibility, it only ever return random numbers from the per-processor.^[5]^: 8
- AES-CTR-DBRG, instead of FIPS 186, has been the default since Windows Vista and Windows Server 2008.^[6]
- The removal of other algorithms happened in Windows 10.^[6]
The root RNG is periodically reseeded from the entropy pools.^[5]^: 9 At bootup when very little entropy is available, a special "initial seeding" procedure provides the seed from seed files, external entropy, TPM randomness, RDRAND, ACPI-OEM0 table, UEFI entropy, and the current time.^[5]^: 11
The kernel maintains multiple entropy pools. Multiple entropy sources append into pools, the main one being interrupt timing.^[5]^: 12 When a pool is used, the SHA-512 hash of its contents is taken as the output.^[5]^: 10 Windows does not estimate entropy.^[5]^: 16

Security

The security of a cryptosystem's CSPRNG is significant because it is the origin for dynamic key material. Keys needed "on the fly", such as the AES TLS session keys that protect HTTPS sessions with bank websites, originate from CSPRNGs. If these pseudorandom numbers are predictable, session keys are predictable as well. Because CryptGenRandom is the de facto standard CSPRNG in Win32 environments, its security is critical for Windows users.

The specifics of CryptGenRandom's algorithm have not been officially published. As with any unpublished random number generation algorithm, it may be susceptible to theoretical weaknesses including the use of outdated algorithms, and a reliance for entropy gathering on several monotonically-increasing counters that might be estimated or controlled to an extent by an attacker with local access to the system.

Cryptanalysis

A cryptanalysis of CryptGenRandom, published in November 2007 by Leo Dorrendorf and others from the Hebrew University of Jerusalem and University of Haifa, found significant weaknesses in the Windows 2000 implementation of the algorithm.^[7]

To take advantage of the vulnerability, an attacker would first need to compromise the program running the random number generator. The weaknesses in the paper all depend on an attacker siphoning the state bits out of the generator. An attacker in a position to carry out this attack would typically already be in a position to defeat any random number generator (for instance, they can simply sniff the outputs of the generator, or fix them in memory to known values). However, the Hebrew University team notes that an attacker only need steal the state bits once in order to persistently violate the security of a CryptGenRandom instance. They can also use the information they glean to determine past random numbers that were generated, potentially compromising information, such as credit card numbers, already sent.

The paper's attacks are based on the fact that CryptGenRandom uses the stream cipher RC4, which can be run backwards once its state is known. They also take advantage of the fact that CryptGenRandom runs in user mode, allowing anyone who gains access to the operating system at user level, for example by exploiting a buffer overflow, to get CryptGenRandom's state information for that process. Finally, CryptGenRandom refreshes its seed from entropy infrequently. This problem is aggravated by the fact that each Win32 process has its own instance of CryptGenRandom state; while this means that a compromise of one process does not transitively compromise every other process, it may also increase the longevity of any successful break.

Because the details of the CryptGenRandom algorithm are not public, Dorrendorf's team used reverse engineering tools to discern how the algorithm works. Their paper is the first published record of how the Windows cryptographic random number generator operates^{[ citation needed ]}.

Common Criteria

Windows 2000, XP and 2003 have all successfully undergone EAL4+ evaluations, including the CryptGenRandom() and FIPSGenRandom() implementations. The Security Target documentation is available at the Common Criteria Portal, and indicates compliance with the EAL4 requirements. Few conclusions can be drawn about the security of the algorithm as a result; EAL4 measures products against best practices and stated security objectives, but rarely involves in-depth cryptanalysis.

FIPS validation

Microsoft has obtained validation of its RNG implementations in the following environments:

Windows Vista and Server 2008 RNG Implementation (certificate 435)^[8]
Windows Vista RNG implementations (certificate 321)^[8]
Windows 2003 Enhanced Cryptographic Provider (rsaenh.dll) (certificate 316)^[8]
Windows 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (dssenh.dll) (certificate 314)^[8]
Windows 2003 Kernel Mode Cryptographic Module (fips.sys) (certificate 313)^[8]
Windows CE and Windows Mobile Enhanced Cryptographic Provider (rsaenh.dll) (certificate 292)^[8]
Windows CE and Windows Mobile Enhanced Cryptographic Provider (rsaenh.dll) (certificate 286)^[8]
Windows CE Enhanced Cryptographic Provider (rsaenh.dll) (certificate 66)^[8]

These tests are "designed to test conformance to the various approved RNG specifications rather than provide a measure of a product’s security. [...] Thus, validation should not be interpreted as an evaluation or endorsement of overall product security." Few conclusions can be drawn about the security of the algorithm as a result; FIPS evaluations do not necessarily inspect source code or evaluate the way RNG seeds are generated.^[9]

Alternatives

API level

Windows developers have several alternative means of accessing the CryptGenRandom functionality; these alternatives invoke the same algorithm and share the same security characteristics, but may have other advantages.

Using RtlGenRandom

Historically, we always told developers not to use functions such as rand to generate keys, nonces and passwords, rather they should use functions like CryptGenRandom, which creates cryptographically secure random numbers. The problem with CryptGenRandom is you need to pull in CryptoAPI (CryptAcquireContext and such) which is fine if you're using other crypto functions.
On a default Windows XP and later install, CryptGenRandom calls into a function named ADVAPI32!RtlGenRandom, which does not require you load all the CryptAPI stuff. In fact, the new Whidbey CRT function, rand_s calls RtlGenRandom.^[10]

Using RNGCryptoServiceProvider

Programmers using .NET should use the RNGCryptoServiceProvider Class.^[11]

Using Cryptography API: Next Generation (CNG)

The CNG ^[12] is a long term replacement for the deprecated Crypto API. It provides an equivalent function BCryptGenRandom^[13] as well as dedicated functions for key generation.

Programming languages

the Microsoft C++ library function rand_s uses RtlGenRandom and is recommended by Microsoft for secure applications.^[14]
the Python function urandom in the os module, which uses /dev/urandom on Unix-like systems, calls CryptGenRandom on Windows systems.^[15]
the Java JCA Provider "SunMSCAPI" available with OpenJDK and Oracle distributions of the JRE on Windows provides a SecureRandom implementation with the algorithm name Windows-PRNG. This class forwards all queries for random or seed bytes as well as setting additional seed bytes to native CryptGenRandom.^[16]

Related Research Articles

A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.

The Yarrow algorithm is a family of cryptographic pseudorandom number generators (CSPRNG) devised by John Kelsey, Bruce Schneier, and Niels Ferguson and published in 1999. The Yarrow algorithm is explicitly unpatented, royalty-free, and open source; no license is required to use it. An improved design from Ferguson and Schneier, Fortuna, is described in their book, Practical Cryptography

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely known as a cryptographic random number generator (CRNG).

Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books. Among the designs Ferguson has contributed to is the AES finalist block cipher algorithm Twofish as well as the stream cipher Helix and the Skein hash function.

In Unix-like operating systems, /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudorandom number generators (CSPRNGs). They allow access to a CSPRNG that is seeded with entropy from environmental noise, collected from device drivers and other sources. /dev/random typically blocks if there was less entropy available than requested; more recently it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for /dev/random and /dev/urandom.

In cryptography, nothing-up-my-sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number $π$ as the constants. Using digits of $π$ millions of places after the decimal point would not be considered trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit—though even with natural-seeming selections, enough entropy exists in the possible choices that the utility of these numbers has been questioned.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

A random password generator is a software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password. Random passwords can be generated manually, using simple sources of randomness such as dice or coins, or they can be generated using a computer.

Fortuna is a cryptographically secure pseudorandom number generator (CS-PRNG) devised by Bruce Schneier and Niels Ferguson and published in 2003. It is named after Fortuna, the Roman goddess of chance. FreeBSD uses Fortuna for /dev/random and /dev/urandom is symbolically linked to it since FreeBSD 11. Apple OSes have switched to Fortuna since 2020 Q1.

Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular outcome sequence will contain some patterns detectable in hindsight but impossible to foresee. True random number generators can be hardware random-number generators (HRNGs), wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-called "random number generations" done by pseudorandom number generators (PRNGs), which generate numbers that only look random but are in fact pre-determined—these generations can be reproduced simply by knowing the state of the PRNG.

The Microsoft Windows platform specific Cryptographic Application Programming Interface is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.

Dual_EC_DRBG is an algorithm that was presented as a cryptographically secure pseudorandom number generator (CSPRNG) using methods in elliptic curve cryptography. Despite wide public criticism, including the public identification of the possibility that the National Security Agency put a backdoor into a recommended implementation, it was for seven years one of four CSPRNGs standardized in NIST SP 800-90A as originally published circa June 2006, until it was withdrawn in 2014.

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

Dell BSAFE, formerly known as RSA BSAFE, is a FIPS 140-2 validated cryptography library, available in both C and Java. BSAFE was initially created by RSA Security, which was purchased by EMC and then, in turn, by Dell. When Dell sold the RSA business to Symphony Technology Group in 2020, Dell elected to retain the BSAFE product line. BSAFE was one of the most common encryption toolkits before the RSA patent expired in September 2000. It also contained implementations of the RCx ciphers, with the most common one being RC4. From 2004 to 2013 the default random number generator in the library was a NIST-approved RNG standard, widely known to be insecure from at least 2006, containing a kleptographic backdoor from the American National Security Agency (NSA), as part of its secret Bullrun program. In 2013 Reuters revealed that RSA had received a payment of $10 million to set the compromised algorithm as the default option. The RNG standard was subsequently withdrawn in 2014, and the RNG removed from BSAFE beginning in 2015.

Entropy-supplying system calls are system calls in Unix-like operating system kernels through which processes can obtain entropic or random data. The first of these was getentropy, introduced to the OpenBSD operating system in release 5.6, as a refactoring of the sysctl(3) KERN_ARND approach used since 1997. Linux offers a very similar system call, getrandom, which was based on getentropy. It was first available in Linux 3.17, released in October 2014. In July 2015, Solaris introduced slightly modified versions of getentropy and getrandom. In August 2015, FreeBSD introduced the read_random system call for obtaining random data from the kernel.

A counter-based random number generation is a kind of pseudorandom number generator that uses only an integer counter as its internal state. They are generally used for generating pseudorandom numbers for large parallel computations.

References

↑ CryptGenRandom Function (Windows) "Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases." (This notice applies to all of CryptoAPI.)
↑ "Microsoft confirms that XP contains random number generator bug". Archived from the original on 2008-06-22.
↑ RtlGenRandom Function (Windows)
↑ Howard, Michael; Leblanc, David (2003). Writing Secure Code, Second Edition . Pearson Education. ISBN 0-7356-1722-8.
1 2 3 4 5 6 7 8 Ferguson, Niels (October 2019). "The Windows 10 random number generation infrastructure" (PDF). download.microsoft.com.
1 2 "CNG Algorithm Identifiers (Bcrypt.h) - Win32 apps". learn.microsoft.com. 13 April 2023. Note: Beginning with Windows Vista with SP1 and Windows Server 2008, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard. [...] Windows 10: Beginning with Windows 10, the dual elliptic curve random number generator algorithm has been removed. Existing uses of this algorithm will continue to work; however, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard.
↑ Dorrendorf, Leo; Zvi Gutterman; Benny Pinkas. "Cryptanalysis of the Random Number Generator of the Windows Operating System" (PDF). Archived from the original (PDF) on 2012-05-18. Retrieved 2007-11-12.
1 2 3 4 5 6 7 8 "RNG Validation List". NIST Computer Security Division. Retrieved 20 March 2024.
↑ "The Random Number Generator Validation System (RNGVS)" (PDF). National Institute of Standards and Technology Computer Security Division. 31 January 2005. Archived from the original (PDF) on 24 February 2013. Retrieved 18 June 2013.
↑ Michael Howard's Web Log : Cryptographically Secure Random number on Windows without using CryptoAPI
↑ "Archived copy". Archived from the original on 2006-09-08. Retrieved 2007-08-27.{{cite web}}: CS1 maint: archived copy as title (link)
↑ Crypto API Next Generation (Windows)
↑ BCryptGenRandom (Windows)
↑ http://msdn.microsoft.com/en-us/library/sxtz2fa8(VS.80).aspx Visual C++ Developer Center , rand_s
↑ https://docs.python.org/2/library/os.html#os.urandom Python Library Reference, OS module
↑ http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunMSCAPI Oracle Java SE 8 technical documentation, Sun Providers

External links

Microsoft Shared Source licensing programs

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] CryptGenRandom Function (Windows) "Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases." (This notice applies to all of CryptoAPI.)

[2] "Microsoft confirms that XP contains random number generator bug". Archived from the original on 2008-06-22.

[3] RtlGenRandom Function (Windows)

[4] Howard, Michael; Leblanc, David (2003). Writing Secure Code, Second Edition . Pearson Education. ISBN 0-7356-1722-8.

[10white-5] 1 2 3 4 5 6 7 8 Ferguson, Niels (October 2019). "The Windows 10 random number generation infrastructure" (PDF). download.microsoft.com.

[CNGid-6] 1 2 "CNG Algorithm Identifiers (Bcrypt.h) - Win32 apps". learn.microsoft.com. 13 April 2023. Note: Beginning with Windows Vista with SP1 and Windows Server 2008, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard. [...] Windows 10: Beginning with Windows 10, the dual elliptic curve random number generator algorithm has been removed. Existing uses of this algorithm will continue to work; however, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard.

[7] Dorrendorf, Leo; Zvi Gutterman; Benny Pinkas. "Cryptanalysis of the Random Number Generator of the Windows Operating System" (PDF). Archived from the original (PDF) on 2012-05-18. Retrieved 2007-11-12.

[nistrng-8] 1 2 3 4 5 6 7 8 "RNG Validation List". NIST Computer Security Division. Retrieved 20 March 2024.

[rngvs-9] "The Random Number Generator Validation System (RNGVS)" (PDF). National Institute of Standards and Technology Computer Security Division. 31 January 2005. Archived from the original (PDF) on 24 February 2013. Retrieved 18 June 2013.

[Howard-10] Michael Howard's Web Log : Cryptographically Secure Random number on Windows without using CryptoAPI

[11] "Archived copy". Archived from the original on 2006-09-08. Retrieved 2007-08-27.{{cite web}}: CS1 maint: archived copy as title (link)

[12] Crypto API Next Generation (Windows)

[13] BCryptGenRandom (Windows)

[14] ttp://msdn.microsoft.com/en-us/library/sxtz2fa8(VS.80).aspx Visual C++ Developer Center , rand_s

[15] ttps://docs.python.org/2/library/os.html#os.urandom Python Library Reference, OS module

[16] ttp://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunMSCAPI Oracle Java SE 8 technical documentation, Sun Providers

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]