-1

This question is inspired by this answer on Crypto SE.

According to Niels Ferguson's Whitepaper called 'The Windows 10 random number generation infrastructure', the CryptGenRandom algorithm uses a buffer for small requests:

All PRNGs in the system are SP800-90 AES_CTR_DRBG with 256-bit security strength using the df() function for seeding and re-seeding (see SP 800-90 for details). (…) The Basic PRNGs are not used directly, but rather through a wrapping layer that adds several features.

  • A small buffer of random bytes to improve performance for small requests.
  • A lock to support multi-threading.
  • A seed version.

(…) The buffering is straightforward. There is a small buffer (currently 128 bytes). If a request for random bytes is 128 bytes or larger, it is generated directly from AES_CTR_DRGB. If it is smaller than 128 bytes it is taken from the buffer. The buffer is re-filled from the AES_CTR_DRBG whenever it runs empty. So, if the buffer contains 4 bytes and the request is for 8 bytes, the 4 bytes are taken from the buffer, the buffer is refilled with 128 bytes, and the first 4 bytes of the refilled buffer are used to complete the request, leaving 124 bytes in the buffer.

I would like to know if it is possible to access this buffer from my Windows 10 laptop, and if so how I can implement this.

I looked at the Windows page of CryptGenRandom, and this page does also mention a buffer which is given as input. However, this is a different buffer from the one in the whitepaper: in this buffer, the output bytes will be written. Therefore, the buffer has a different size and purpose than the buffer that I am interested in.

Update I have done a bit of research: according to this answer (at the bottom), CryptGenRandom() is declared in the wincrypt.h file and defined in the Advapi32.lib and Advapi32.dll libraries.

I managed to locate the Advapi32.dll file in my laptop's windows/system32 folder. I decompiled this file with Ghidra. However, I can not find a clear reference to the buffer.

Riemann
  • 158
  • 10
  • I doubted between posting on SuperUser and StackOverflow, but since I would like to know how to implement it, I decided to use this site. – Riemann Aug 11 '23 at 11:05
  • Of course you can decompile code in advapi32.dll. Unless it has flaws, the security of `CryptGenRandom` does not rely on its algorithm being unknown, its security relies o operating system access protections and the quality of its entropy source(s). – President James K. Polk Aug 11 '23 at 18:25
  • Do you have some suggestions/ideas for how to decompile this code? – Riemann Aug 11 '23 at 18:31
  • Use a tool for software reverse engineerng, like Ghidra or IDA-PRO. – President James K. Polk Aug 11 '23 at 18:32
  • I am trying with Ghidra now. See this question on Reverse Engineering SE: https://reverseengineering.stackexchange.com/questions/32166/how-can-i-find-the-buffer-of-cryptgenrandom-using-ghidra – Riemann Aug 12 '23 at 10:28

0 Answers0