Full Disclosure mailing list archives
Re: SecureW2 TLS security problem
From: Simon Josefsson <jas () extundo com>
Date: Thu, 06 Oct 2005 16:27:55 +0200
Yvan Boily <yboily () gmail com> writes:
The default random number generator provided with Windows XP, 2003, and Longhorn, is RtlGenRandom(PVOID,ULONG) ; this is an undocumented API that is called by CryptGenRandom(HCRYPTPROV, DWORD, BYTE*).
SecureW2 is using CryptGenRandom now.
It uses significantly better sources of entropy than clock information and process & thread ids.
Are you aware of a quantification of the improvement? Having many entropy sources only inspire more confidence if the additional entropy sources provide any entropy. It is not clear to me that there is enough entropy in the listed sources to provide with good random numbers. Frankly, the list of entropy sources is so huge it appears as if it is meant to scare you away from scrutinizing each single entropy source. It is not clear whether the PRNG is ever re-seeded. Thanks, Simon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SecureW2 TLS security problem Simon Josefsson (Oct 04)
- Re: Re: SecureW2 TLS security problem Valdis . Kletnieks (Oct 04)
- Re: Re: SecureW2 TLS security problem Yvan Boily (Oct 04)
- Re: SecureW2 TLS security problem Simon Josefsson (Oct 06)
- Re: Re: SecureW2 TLS security problem Yvan Boily (Oct 04)
- Re: Re: SecureW2 TLS security problem Valdis . Kletnieks (Oct 04)