18

Where does the entropy that cryptographic .NET libraries use for encryption come from? I know with Linux you can use /dev/random, but does a similar pool exist within Windows?

yyyyyyy
  • 11,835
  • 4
  • 45
  • 66
Verbal Kint
  • 279
  • 2
  • 5
  • 10
    Maybe from the [file copy dialogue](https://xkcd.com/612)? Sorry, couldn't resist... – KlaymenDK Aug 24 '16 at 20:25
  • [This whitepaper](https://download.microsoft.com/download/1/c/9/1c9813b8-089c-4fef-b2ad-ad80e79403ba/Whitepaper%20-%20The%20Windows%2010%20random%20number%20generation%20infrastructure.pdf) directly from Niels Ferguson / Microsoft would explain everything quite well. – Maarten Bodewes Dec 07 '20 at 14:52

1 Answers1

19

Update: Since I wrote this post, CryptGenRandom has been deprecated. Apparently it is now recommended to use BCryptGenRandom from the "Cryptography Next Generation" API.

(Confusingly, it has nothing to do with bcrypt.)

Yes, Windows has something similar. It can be accessed through CryptGenRandom.

With Microsoft CSPs, CryptGenRandom uses the same random number generator used by other security components. This allows numerous processes to contribute to a system-wide seed. CryptoAPI stores an intermediate random seed with every user. To form the seed for the random number generator, a calling application supplies bits it might have—for instance, mouse or keyboard timing input—that are then combined with both the stored seed and various system data and user data such as the process ID and thread ID, the system clock, the system time, the system counter, memory status, free disk clusters, the hashed user environment block. This result is used to seed the pseudorandom number generator (PRNG). In Windows Vista with Service Pack 1 (SP1) and later, an implementation of the AES counter-mode based PRNG specified in NIST Special Publication 800-90 is used.

Technically this is closer to /dev/urandom than /dev/random, but in practice the fact that you get cryptographically random numbers rather than "pure entropy" does not matter.

otus
  • 31,744
  • 5
  • 65
  • 159
  • 1
    off-topic comment: where do you people read up such advanced things? – Spandan Sep 02 '16 at 13:07
  • 1
    @Spandan, I gave the link or what do you mean? – otus Sep 02 '16 at 13:20
  • Page 11 of this PDF has some more information: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3090.pdf – Marc Oct 21 '19 at 14:19
  • This implementation could mean that all instances of a Windows VM taken from a same snapshot will share the same PRNG state, without live update from the environment. (Compared to Linux with "continuous" reseeding from RDSEED and CPU jitters.) This might cause issues, like duplicated nonces or reduced effective entropy in key generation. I *hope* the implementation is more complex and robust than described. – A. Hersean Mar 02 '22 at 09:40