10

So, as we all know, Dual_EC_DRBG contains an NSA back door. At this point, there is no reason to call it a "potential" or even an "alleged" back door; the presence is obvious even to the NY Times.

As we also know, RSA BSAFE has been using Dual_EC_DRBG by default, with a justification so stupid it can only be translated as "because NSA paid us to".

This comment on Ars Technica asserts that Microsoft also uses this generator. But I have seen claims to the contrary. Thus my questions are:

What PRNG does Windows Server use to generate private keys for Certificate Signing Requests?

What PRNG does Internet Explorer on Windows use to generate session keys? How about Chrome and Firefox on Windows?

What PRNG does IIS on Windows use to generate ephemeral key material for PFS?

I am most interested in the latest versions of all of these products, and certainly only those released after 2007. References or at least an air of authority are preferred.

Community
  • 1
Nemo
  • 1,377
  • 1
  • 14
  • 18

2 Answers2

10

The September 2013 supplemental ITL bulletin released by NIST has drawn attention to NIST publication SP 800-90A, Random Number Generation using Deterministic Random Number Generation; specifically the trustworthiness of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm. As a result, NIST strongly discourages the use of Dual EC DRBG until concerns with it are addressed in a future revision of SP 800-90A.

The Windows CNG cryptographic infrastructure provides an implementation of DUAL_EC_DRBG applications may use. The Windows Crypto development team has reviewed supported version of Windows and determined that no features or components included in Windows specifically uses Dual EC DRBG.

Windows has a mechanism for configuring the default RNG algorithm to be used by various parts of the system. The default configurations for Windows 8.1, Windows Server 2012R2, Windows 8, Windows Server 2012, Windows 7 and Windows Server 2008R2 do not use Dual EC DRBG as the default random number generator algorithm. The default random number generator algorithm for these versions of Windows is AES_CTR_DRBG from SP800-90a.

DRBGs rely on entropy to provide secure random number generation. Good entropy typically depends on hardware and other factors to ensure its randomness. Most applications rely on the platform to provide secure random numbers. I would expect that Chrome and Firefox would use the BCryptGenRandom to generate secure random numbers on Windows; however, each respective development team is more authoritative on how they generate random numbers when their browsers run on the Windows platform.

Mike Stephens Windows Program Manager, Cryptography

Mike Stephens
  • 116
  • 1
  • 2
  • 4
    According to wikipedia you introduced DUAL_EC_DRBG in Windows Vista, but your post doesn't mention Vista and Server 2008. What's their status regarding DUAL_EC? Sorry for nitpicking, but I read a few too many carefully worded denials recently. According to imichaelmiers's answer there was a change in the default in a Service Pack for Vista, with both versions (Hash and AES-CTR) considered safe. – CodesInChaos May 05 '14 at 21:09
  • As a result, NIST strongly discourages the use of Dual EC DRBG until concerns with it are addressed in a future revision of SP 800-90A. Well… in contrast to that rather outdated statement, I personally doubt they will address it in future revisions because on April 21, 2014, NIST stated that NIST removed Dual_EC_DRBG from the Rev. 1 document. The revised SP 800-90A is available at http://csrc.nist.gov/news_events/index.html#apr21 ––– Anyway, thanks for the feedback on the MS perspective and status quo. Much appreciated. – e-sushi May 07 '14 at 18:28
  • 1
    When one calls NTSTATUS ret = BCryptGenRandom(NULL, output, size, BCRYPT_USE_SYSTEM_PREFERRED_RNG), which RNG is used? BCRYPT_USE_SYSTEM_PREFERRED_RNG behavior is not well documented with respect to its interactions with BCRYPT_RNG_ALGORITHM and BCRYPT_RNG_DUAL_EC_ALGORITHM. (Or maybe more correctly, its ambiguous in the NIST security policy). I ask because I've seen others use it, like Wine. –  Apr 29 '16 at 02:00
  • Hmmm. Can't find AES_CTR_DRBG in https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers – Joshua May 12 '22 at 15:09
4

According to the BCryptGenRandom documentation

The default random number provider implements an algorithm for generating random numbers that complies with the NIST SP800-90 standard, specifically the CTR_DRBG portion of that >standard.

Specifically, according to this the default value is BCRYPT_RNG_ALGORITHM which is:

The random-number generator algorithm.Standard: FIPS 186-2, FIPS 140-2, NIST SP 800-90

Note Beginning with Windows Vista with SP1 and Windows Server 2008, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard.

Windows Vista: The random number generator is based on the hash-based random number generator specified in the FIPS 186-2 standard.

Windows 8: Beginning with Windows 8, the RNG algorithm supports FIPS 186-3. Keys less than or equal to 1024 bits adhere to FIPS 186-2 and keys greater than 1024 to FIPS 186-3.

An obvious questions is if this is actually the random number generator running. It would be very easy of course to change the value of BCRYPT_RNG_ALGORITHM to BCRYPT_RNG_DUAL_EC_ALGORITHM, especially to specifically target systems or for targeted regions. Given that DUAL_EC_DRBG has a bias, this is testable, but I don't think anyone would typically check.

Community
  • 1
imichaelmiers
  • 1,614
  • 10
  • 13
  • This reads like nonsense. (Microsoft's documentation, I mean, not your answer.) What does "keys less than or equal to 1024 bits" even mean in the context of these PRNGs? I read this as saying something changed in Windows 8, but the tech writer does not understand what. Note that FIPS 186-3 is the first revision to incorporate SP 800-90 where the dual EC generator is specified. So Microsoft's language here does not preclude Windows 8 using Dual_EC_DRBG by default. – Nemo Sep 21 '13 at 18:41
  • I think this means for key generation, depending on the specified key length request, they use different RNGs. – imichaelmiers Sep 21 '13 at 20:31
  • Not sure about that. How does BCryptGenRandom know what you plan to use the random bits for? Also, would you say this wording implies Windows 8 uses AES counter mode? It looks to me like it just says it "supports FIPS 186-3" which could mean any RNG in SP 800-90. In fact, this wording seems to make a distinction between Vista SP1 / Server 2008 and Windows 8. The real question is what RNG BCryptGenerateKeyPair uses, and I do not think we know the answer yet. – Nemo Sep 21 '13 at 20:46
  • 1
    @Nemo BCryptGenRandom does not have to know what to use the random bits for. It is the key generator that chooses which RNG to use. If you have got your own key generator, then above does not apply. In general, if the algorithm is present then you cannot be sure of any key pairs generated by windows unless you know the precise implementation. Same goes if you create your own keys, the only thing you can do to avoid the broken PRNG is to test for the bias or to know the actual implementation of the PRNG you are using. – Maarten Bodewes Sep 22 '13 at 15:19