Security researchers are claiming that the pseudo-random number generator used by Microsoft in Windows is flawed. Only Windows 2000 is evaluated, though the shortcomings of the random number generator are most likely present in Windows XP and Vista.
A team of cryptographers led by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa, Israel, were able to unravel how the CryptGenRandom function Windows 2000 worked, without assistance from Microsoft. This analysis revealed that random number generation in Windows 2000 is far from genuinely random -- or even pseudo-random.
Because of this it was possible for the researchers to predict numbers generated by the software, after first determining the internal state of the generator.
The implications here is that a local attack can be used to determine a single state of the random number generator. It will be possible after that to predict all random values, such as used in SSL keys, and possibly other cryptographic functions.
If you enjoy reading
Greek geek-stuffs, you can check out the results of the research titled Cryptanalysis of the Windows Random Number Generator.
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.