Bitcoin Forum
October 20, 2017, 03:49:34 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Windows PRNG “Seed” registry key  (Read 922 times)
Slaphead
Jr. Member
*
Offline Offline

Activity: 53


View Profile
May 03, 2017, 10:57:57 PM
 #1

The last 64 bytes of the Windows PRNG “Seed” registry key hold a unique hash used to seed the CryptoAPI PRNG. However, that registry key value is 76 bytes long. What do the first 12 bytes hold?

The seed bytes change after every reboot, but the first 12 bytes never change. I tried deleting them and then rebooting, but the system restored exactly the same first 12 bytes. Is there any security risk from an attacker managing to read those 12 bytes? I assume the seed is used in bitcoin private key generation, and those 12 bytes must have some relationship to the seed.

In older versions of Windows the seed was stored in this registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

In newer versions of windows the seed now lives here.

HKEY_LOCAL_MACHINE\SYSTEM\RNG

The only information I found from a google was here.

http://illmatics.com/Windows%208%20Heap%20Internals.pdf

Quote
OslpGatherSeedFileEntropy

Gathers entropy by looking up the value of the “Seed” registry key (REG_BINARY) in

HKEY_LOCAL_MACHINE\SYSTEM\RNG.

This key is 76 bytes in size, whereas the last 64 bytes hold a unique hash used to seed the CryptoAPI PRNG
1508471374
Hero Member
*
Offline Offline

Posts: 1508471374

View Profile Personal Message (Offline)

Ignore
1508471374
Reply with quote  #2

1508471374
Report to moderator
1508471374
Hero Member
*
Offline Offline

Posts: 1508471374

View Profile Personal Message (Offline)

Ignore
1508471374
Reply with quote  #2

1508471374
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508471374
Hero Member
*
Offline Offline

Posts: 1508471374

View Profile Personal Message (Offline)

Ignore
1508471374
Reply with quote  #2

1508471374
Report to moderator
Abdussamad
Legendary
*
Offline Offline

Activity: 1526



View Profile WWW
May 04, 2017, 12:18:09 AM
 #2

It says in the quote that only the last 64 bytes are used to seed the CSPRNG so what is there to worry about? The first 12 bytes that remain constant aren't used to seed the CSPRNG. Maybe they serve some other purpose.

Slaphead
Jr. Member
*
Offline Offline

Activity: 53


View Profile
May 04, 2017, 01:22:26 AM
 #3

It says in the quote that only the last 64 bytes are used to seed the CSPRNG so what is there to worry about? The first 12 bytes that remain constant aren't used to seed the CSPRNG. Maybe they serve some other purpose.

Although they aren't used to seed the CSPRNG they must be related to it, or they wouldn't be included in that registry key value. If the twelve bytes represent the differing entropy sources found and used on a particular computer there might be a security risk if an attacker reads them. On the other hand they might represent a unique identifier, in which case it doesn't matter if an attacker reads them.

I'm probably worrying about nothing, but I'd like to know WTF they are for.
Abdussamad
Legendary
*
Offline Offline

Activity: 1526



View Profile WWW
May 04, 2017, 04:51:40 AM
 #4

They could be the phone number that you can call to learn more about Windows' CSPRNG

metacoin
Sr. Member
****
Offline Offline

Activity: 339


live free


View Profile WWW
May 15, 2017, 07:41:56 PM
 #5

It's certainly a good question and I don't know the answer off the top of my head. The best I could find relating to Microsoft's decision on this subject was a claim that they follow the NIST guidelines 800-90A outlined in this doc: http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf however given Microsoft's recent track record with security I would say their standards-compliance is questionable. I don't have enough information to determine if it is due to coercion, malice, or negligence.

Luckily Bitcoin running on WIN32 uses OpenSSL in addition to the OS random function to generate a key. Check out this block of code:

Code:
void GetStrongRandBytes(unsigned char* out, int num)
{
    assert(num <= 32);
    CSHA512 hasher;
    unsigned char buf[64];

    // First source: OpenSSL's RNG
    RandAddSeedPerfmon();
    GetRandBytes(buf, 32);
    hasher.Write(buf, 32);

    // Second source: OS RNG
    GetOSRand(buf);
    hasher.Write(buf, 32);

    // Combine with and update state
    {
        std::unique_lock<std::mutex> lock(cs_rng_state);
        hasher.Write(rng_state, sizeof(rng_state));
        hasher.Write((const unsigned char*)&rng_counter, sizeof(rng_counter));
        ++rng_counter;
        hasher.Finalize(buf);
        memcpy(rng_state, buf + 32, 32);
    }

    // Produce output
    memcpy(out, buf, num);
    memory_cleanse(buf, 64);
}

https://github.com/bitcoin/bitcoin/blob/daf3e7def7b9e5db7a32f5a20b5c4e09e3f0dd18/src/random.cpp#L210-L233

If you follow the code from here you'll see what I'm talking about.

Further reading on RAND_add:

https://wiki.openssl.org/index.php/Manual:RAND_add(3)


⚜ Florin block explorer: http://florincoin.info
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!