Re: Fw: PasswordSafe 3.0 weak random number generator allows key recovery attack



Markus Jansson wrote:
PasswordSafe 3.0 utilizes two different random number generator (RNG)
functions: Win32 API RtlGenRandom() and standart Visual C++ rand().
RtlGenRandom() is not available on Windows prior to Windows XP (i.e.
Windows 2000, Windows NT, Windows Me) so rand() is used instead.
Specifically, rand() is used to generate 256-bit database encryption
key. It is widely known that using rand() in cryptographic
applications is not secure due to its predictbility and small
internal state.
...

I wonder how many people using Password Safe 3.0 would be using anything older than Windows XP?

--
*Adam W. Montville, CISSP*
awm@xxxxxxxxxxxxxxxxxxxxx
*ICQ: 271-685-874*
.