8

CryptGenRandom is a random number generator function in CryptoAPI in Windows. How much entropy has that random number generator ? I have already looked a lot, but I couldn't find it.

ouflak
  • 2,458
  • 10
  • 44
  • 49
wasja
  • 81
  • 1
  • 2
  • Also see [Cryptanalysis of the Random Number Generator of the Windows Operating System](https://eprint.iacr.org/2007/419.pdf) by Leo Dorrendor. – jww Mar 17 '17 at 14:13

1 Answers1

11

The exact algorithm of Windows CryptGenRandom was never published, therefore, some security experts suggest not to use it at all.

Some reverse-engineering and cryptanalysis was made. A published research (Cryptanalysis of the Windows Random Number Generator - Leo Dorrendorf, 2007) examined Windows 2000 RNG and found a number of weaknesses in the design and implementation.

The document also describes the entropy collector mechanism of the algorithm (section 4.2.3). The Entropy sources are:

Source                   Bytes requested
CircularHash              256
KSecDD                    256
GetCurrentProcessID()       8
GetCurrentThreadID()        8
GetTickCount()              8
GetLocalTime()             16
QueryPerformanceCounter()  24
GlobalMemoryStatus()       16
GetDiskFreeSpace()         40
GetComputerName()          16
GetUserName()             257
GetCursorPos()              8
GetMessageTime()           16
NTQuerySystemInformation calls:
ProcessorTimes             48
Performance               312
Exception                  16
Lookaside                  32
ProcessorStatistics       up to the remaining length (3584 bytes buffer)
ProcessesAndThreads       up to the remaining length

Since we are talking about a pseudo-number-generator and not a real-number-generator, you may say that there is no real entropy at all, or count only the sources that you may consider as "entropy" (pseudo-entropy).

I was unable to find information regarding newer versions on Windows.

Lior Kogan
  • 19,919
  • 6
  • 53
  • 85
  • 1
    what's about Windows Vista/7/8 entropy? – Eir Nym Jun 28 '12 at 12:49
  • The research link is bad. Can you adjust? – ahmd0 Jan 29 '14 at 19:13
  • A presentation is also available: http://www.wisdom.weizmann.ac.il/~naor/COURSE/PRIVACY/pinkas_prg_insecurity.ppt – Lior Kogan Jan 29 '14 at 19:33
  • This is a very good answer! I really like your systematic approach. How can you determine the *bytes requested* for each algorithm? The *performance*'s inspection has a very high proportion in the overall entropy (312 bits). Can you explain why? - - It would love to get your systematic approach also for the image analysis generally because I cannot find any quality preview about any algorithm, etc here http://cs.stackexchange.com/q/4935/10350 – Léo Léopold Hertz 준영 Aug 09 '16 at 13:53