Researchers crack random generator Windows 2000

Spread the love

Israeli researchers at the University of Haifa have managed to reconstruct the algorithm of Windows 2000’s pseudo-random number generator and have stumbled upon a method of attack.

The vulnerability that the researchers found related to the pseudo-random number generator allows an attacker to retrieve information sent before the hacking of the system took place. The Windows prng is critical to the security of almost all applications running on the operating system. The generator’s algorithm has never been published.

However, by analyzing the Windows 2000 binary code, the Israeli research team has managed to reconstruct the algorithm and put its security to the test. The team came to a successful attack: if the state of the generator is known to the attacker, for example through a buffer overflow, it turns out to be possible to infer the previous state. The way in which Windows uses the generator also appears to amplify the effect of the attack method.

For example, it turned out that the state of the generator was only refreshed after 128KB of data had been sent to the process that called the generator. In addition, each process runs a different copy of the prng. As a result, an attack where the state of the generator is known can reveal 128Kbytes of data from before or after that state, such as SSL keys.

According to the researchers consider their attack to be more serious and efficient than already known attack methods in which an attacker can only get behind SSL keys if they have control over the system at the time the keys are used. However, it appears that the application that invoked the prng must be susceptible to attack or the attacker must gain administrator rights on the system to exploit the vulnerability.

The team has only examined Windows 2000, but assumes that Windows XP and Vista use the same generator and are therefore also vulnerable.

ResearchersSSLUniversityWindowsWindows XP