Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
From what I can understand, the latter half of /drivers/crypto/ksecdd/random.c calculates an environment hash using md4. The first half uses something that could at least be debatably cryptographic if it outputted one bit at a time.
This can't be a problem since no open source project trusts Win32 random numbers and usually hashes them with various entropy sources. I'm pretty sure GnuPGP wouldn't generate weak public keys in ReactOS.
- KsecRandomSeed should at least depend on the environment hash.
- There ought be an entropy accumulator, using events such as the mouse position during mouse clicks, the time it took to complete a DHCP transaction, etc. When RtlGenRandom is called, it could be reseeded (the hash context updated) with GlobalMemoryStatus, GetCursorPos, and GetCurrentThreadId.
- Anything is better than "KsecRandomSeed ^= _rotl(TickCount.LowPart, (KsecRandomSeed % 23));"
- If the entropy accumulator is insufficiently seeded (say with less than 128 events), a calling thread should sleep for a hundred milliseconds. This wouldn't be severely blocking and presumably the accumulator has been seeded better by then.
I don't have much knowledge in this field, but at the very least, there should be enough entropy for TCP sequence number security.
Edit: Extended MD4 allows for parallelism and doubles state size. I would recommend using Extended MD4 for the entropy accumulator. I have looked at some CRNGs, and what I'm suggesting would be both cross-platform portable and sufficient.