Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SecureW2 TLS security problem
From: Simon Josefsson <jas () extundo com>
Date: Thu, 06 Oct 2005 16:27:55 +0200

Yvan Boily <yboily () gmail com> writes:

The default random number generator provided with Windows XP, 2003,
and Longhorn, is RtlGenRandom(PVOID,ULONG)
; this is an undocumented API that is called by
CryptGenRandom(HCRYPTPROV, DWORD, BYTE*).

SecureW2 is using CryptGenRandom now.

It uses significantly better sources of entropy than clock information
and process & thread ids.

Are you aware of a quantification of the improvement?  Having many
entropy sources only inspire more confidence if the additional entropy
sources provide any entropy.  It is not clear to me that there is
enough entropy in the listed sources to provide with good random
numbers.  Frankly, the list of entropy sources is so huge it appears
as if it is meant to scare you away from scrutinizing each single
entropy source.  It is not clear whether the PRNG is ever re-seeded.

Thanks,
Simon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault