It just occurred to me that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed (type REG_BINARY) contains the latest seeded value from everything that CryptoAPI takes into account when generating its random seed. CryptoAPI permutes it with RC4 to come up with a pseudo-random stream, but I wonder if it might make sense to try to make use of it the same way OpenSSL on UNIX uses /dev/urandom?
No. /dev/urandom returns unique chunk for every read, while accessing the key in question does not change its value. Therefore it is not appropriate to use as if it was /dev/urandom. The value is changed upon calls to CryptoAPI, but then you get random data by CryptoAPI means and don't need to read the key value. BTW, I fail to understand why does the seed have to be exposed world-readable. I mean how do we know that exposing the seed to non-privileged adversary application does not compromise prng generator for other applications? For reference tightening ACL to limit access to privileged users does not seem to have side effects on non-privileged users. A.
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
