Reverse engineering cracks Windows encryption

Computerworld - Israeli researchers who have reverse-engineered a critical component of Windows' encryption technology say attackers could exploit flaws to decipher secured information. Microsoft Corp. has downplayed the threat.

In a paper published earlier this month, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how they recreated the algorithm used by Windows 2000's pseudo-random number generator (PRNG). They also spelled out vulnerabilities in the CryptGenRandom function, which calls on the algorithm.

Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol. SSL secures virtually every important Internet data transmission, including information from consumers to online retailers, and from bank customers to their online accounts.

By cracking the PRNG's algorithm, Pinkas and his team were able to predict its future results and uncover what it had come up with in the past, which then let them compute both previous and future encryption keys. They also discovered multiple design flaws in the algorithm that they said could give hackers the keys to the kingdom.

One of the flaws let Pinkas calculate the keys that had already been used on a Windows 2000 machine. In effect, given even remote access to the machine, a hacker could uncover encryption keys that had been generated, and thus the passwords -- or other information -- which had been used, even if they weren't saved elsewhere on the system. "If you know the 'state' of the PRNG, it should be hard to predict its previous state," said Pinkas yesterday. "It should be like a one-way street. Going backward [in time] should be impossible. But we found a way to very efficiently predict previous states of the PRNG."

That's a major bug, and one that should not have been overlooked, Pinkas added. "It's very well known how to construct a one-way generator. The fact that the PRNG used by Windows 2000 does not provide [this] demonstrates that the design is flawed."

Another problem with Windows' PRNG, added Pinkas, is that a single peek at the current state of its calculations can expose a huge amount of information. Unlike other operating systems such as Linux, Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections.

"Once we get the state of the PRNG, we can simulate its future state until the generator is refreshed with new random data," said Pinkas. "But that represents several hundred SSL connections."