[Full-disclosure] Re: SecureW2 TLS security problem

From: Simon Josefsson (jas_at_extundo.com)
Date: 10/06/05

  • Next message: Kevin Wilcox: "Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?"
    To: Yvan Boily <yboily@gmail.com>
    Date: Thu, 06 Oct 2005 16:27:55 +0200
    
    

    Yvan Boily <yboily@gmail.com> writes:

    > The default random number generator provided with Windows XP, 2003,
    > and Longhorn, is RtlGenRandom(PVOID,ULONG)
    > ; this is an undocumented API that is called by
    > CryptGenRandom(HCRYPTPROV, DWORD, BYTE*).

    SecureW2 is using CryptGenRandom now.

    > It uses significantly better sources of entropy than clock information
    > and process & thread ids.

    Are you aware of a quantification of the improvement? Having many
    entropy sources only inspire more confidence if the additional entropy
    sources provide any entropy. It is not clear to me that there is
    enough entropy in the listed sources to provide with good random
    numbers. Frankly, the list of entropy sources is so huge it appears
    as if it is meant to scare you away from scrutinizing each single
    entropy source. It is not clear whether the PRNG is ever re-seeded.

    Thanks,
    Simon
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Kevin Wilcox: "Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?"