On Dec 2 13:38, Steven Reddie wrote: > Two sentences after that one are these: > > "To form the seed for the random number generator, a calling > application supplies bits > it might have-for instance, mouse or keyboard timing input-that are > then added to both > the stored seed and various system data and user data such as the > process ID and thread ID, > the system clock, the system time, the system counter, memory > status, free disk clusters, > the hashed user environment block. This result is SHA-1 hashed, and > the output is used to seed > an RC4 stream, which is then used as the random stream and used to > update the stored seed." > > So although all processes access the same PRNG it seems that there is > provision to "mix it up" a little. > > I imagine that an installed Cryptographic Provider could provide its own > PRNG and Windows could be configured to use that instead.
If you install another CSP, you can use this CSP and this CSP in turn can use another source for its cryptographic magic, including the sources for its random number generator. The above description is only valid for the predefined CSPs as delivered by default by the OS[1]. If you decide to use CryptGenRandom, you also have to call CryptAcquireContext[2]. This function gets the CSP as an argument. If you use NULL here, as the openssl library does, the CSP is the one set as the user default CSP. The user default CSP can be set by a call to CryptSetProvider[3], and is then used as the default provider for this user. Every process started after this call gets the new CSP. This means, that the openssl library can not be sure to use the same CSP all the time, or even a trustworthy one (for a given value of trust). But, if you call CryptAcquireContext with one of the Microsoft predefined CSPs, you can rely on the fact that the same random number generator is used all the time and the description above describes how the random numbers are generated then. Whatever your trust level in relation to Microsoft is, you know at least which CSP is used. FWIW, the Cygwin implementation of /dev/random and /dev/urandom uses the "Microsoft Base Cryptographic Provider 1.0", MS_DEF_PROV, so at least it's using the same cryptographic source all the time. Shouldn't a fixed CSP be used for the native Windows random number generator in crypt/rand/rand_win.c, too? Corinna [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptographic_provider_names.asp [2] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptacquirecontext.asp [3] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptsetprovider.asp > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Corinna Vinschen > Sent: Friday, 2 December 2005 7:59 AM > To: openssl-dev@openssl.org > Subject: Re: Alternate RAND_poll for XP/2003 Server/Vista > > On Dec 1 12:43, Rick Jones wrote: > > Corinna Vinschen wrote: > > >I'm wondering about this anyway. While the exact code of > > >CryptGenRandom isn't open source, MSDN has a quite extensive > > >description how the random numbers are generated by CryptGenRandom, > > >see the Remarks section in > > >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secc > > >rypto/security/cryptgenrandom.asp > > >which also talks about the entropy sources used. > > > > Being otherwise blissfully ignorant of things Windows, does this > > snippet from the URL above: > > > > "With Microsoft CSPs, CryptGenRandom uses the same random number > > generator used by other security components." > > > > imply that CryptGenRandom might be satisfied by code other than that > > from Microsoft described in the URL above? > > You omited the next sentence: > > "This allows numerous processes to contribute to a system-wide seed." > > I understand this as "every process using one of the Microsoft CSPs will > internally access the same random number generator." As if, say, every > process uses /dev/random on Linux. > > > Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
