Microsoft .NET PRNG (fwd)

J.A. Terranson measl at mfn.org
Sat Jul 31 11:49:30 EDT 2004 

Forwarded here as the original forum is having no success.  IIRC, Matt
Blaze examined the early CrptoAPI and associated PRNG, but I can't seem to
find the post/article that I am thinking of.

-- 
Yours,

J.A. Terranson
sysadmin at mfn.org
0xBD4A95BF

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."      Osama Bin Laden
	- - -

  "There aught to be limits to freedom!"    George Bush
	- - -

Which one scares you more?

---------- Forwarded message ----------
Date: Fri, 30 Jul 2004 10:52:12 -0300
From: Pablo Milano <pmsf at datatransfer.com.ar>
To: 'Yvan Boily' <yboily at seccuris.com>
Cc: secprog at securityfocus.com
Subject: RE: Microsoft .NET PRNG

I'm looking for the same information. I want to know which method does MS
Crypto API use in order to obtain "strong" random seeds. The most in-deep
information about this I could find was
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s
ecurity/cpgenrandom.asp. Anyway, I'm still not sure if what is explained
there is what the function SHOULD do, or what the function ACTUALLY DOES.
Any help would be appreciated.
Regards.

> -----Mensaje original-----
> De: Yvan Boily [mailto:yboily at seccuris.com]
> Enviado el: Miércoles, 28 de Julio de 2004 04:40 p.m.
> Para: secprog at securityfocus.com
> Asunto: Microsoft .NET PRNG
>
>
> I have read both FoundStone's and @Stakes reviews of the PRNG
> included with
> the Microsoft .NET 1.1 framework (also the Win32 CryptoAPI) ,
> however there
> is little information available (that I have been able to locate) that
> discusses the actual method used, or an analysis of how
> reliable it is from
> a cryptographic perspective.
>
> I don't profess to be expert enough on random number generation and
> cryptography to criticize the implementation, however I would
> like to know
> more about it as most code samples I have seen and now an
> application I am
> auditing is relying extensively on the CryptoAPI to provide
> facilities for
> random key generation.
>
> Does anyone have any technical resources which discuss concerns or
> commendations of the implementation?
>
> Regards,
>
> Yvan Boily
>
>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list