Talk:CryptGenRandom

This article was nominated for deletion on 4 March 2011. The result of the discussion was keep.

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

???

This article has not yet received a rating on the project's importance scale.

This article is supported by WikiProject Computing.

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Microsoft Windows: Computing Low‑importance

	This article is within the scope of WikiProject Microsoft Windows, a collaborative effort to improve the coverage of Microsoft Windows on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Microsoft WindowsWikipedia:WikiProject Microsoft WindowsTemplate:WikiProject Microsoft WindowsMicrosoft Windows articles
Low	This article has been rated as Low-importance on the project's importance scale.
	This article is supported by WikiProject Computing.

Cryptography: Computer science

	This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
???	This article has not yet received a rating on the importance scale.
	This article is supported by WikiProject Computer science.

Better explanation of the possible loop hole needed[edit]

Could someone please write better chapter about the controversy, I just added a "placeholder" for it. Atuomi 21:46, 15 November 2007 (UTC)[reply]

It's already in the article (this is the Hebrew University attack).

We do need more detail on the attack, but it's probably inappropriate to speculate ("shadow of a doubt") until that detail is there. In particular: these attacks may or may not apply to the CSPRNG shipped in XP and Vista, and are a basic issue with usermode CSPRNGs in general, as well as with CSPRNGs built around stream ciphers with short keys (like RC4). --- tqbf 22:07, 15 November 2007 (UTC)[reply]

The attack has nothing to do with short keys. RC4, in fact, allows quite long keys, up to 2048 bits. The problem with RC4 is that it can be run backwards, compromising past numbers generated with modest work. Also running in user mode would not be such a problem if entropy was added more frequently. Finally, in the Slashdot thread, someone who claimed to be from Microsoft said the problem was known and fixed in XP and Vista. That's far from a reliable source, but it is enough, I think, to remove the speculation about the bug affecting later versions of Windows, which I've done.--agr 22:42, 15 November 2007 (UTC)[reply]

Maybe at least leave the news link at the end? -- Atuomi 22:10, 15 November 2007 (UTC)[reply]

Why? The article already has an entire subsection sourced authoritatively. --- tqbf 22:15, 15 November 2007 (UTC)[reply]

Because the news link was perhaps more accessible to people with less technical understanding. But you are right, it is sourced appropriately. -- Atuomi 22:22, 15 November 2007 (UTC)[reply]

I put a bit more work into the section. Maybe it could use a sentence on the news coverage the attack got? If you missed the section, lots of other people might too. It'd be great if you can flag things that don't make sense (maybe a {{clarifyme}} tag here and there?) --- tqbf 22:26, 15 November 2007 (UTC)[reply]

Sure, I'll check it out. Maybe the title could be revised to point out more that it is a possible problem. When I read it, I thought it's just a validation analysis, and not a problem as per such. Maybe something like 'Hebrew University Cryptoanalysis shows problems'? -- Atuomi 22:40, 15 November 2007 (UTC)[reply]

That would probably read more like a news hed than an encyclopedia subhed, but I'm open to other titles. --- tqbf 22:45, 15 November 2007 (UTC)[reply]

I added a brief mention to the article intro.--agr 23:04, 15 November 2007 (UTC)[reply]

SHA-1 weakness reference needed[edit]

I've tagged this sentence - "As an example, weaknesses in the SHA1 hash function, which was created by the U.S. National Security Agency and certified by NIST, were only discovered in 2005, 12 years after the algorithm was published." - as "citation needed" - not because I don't believe it, but merely because it's an unverified statement for which I imagine there must be a good reference we could use. I'd sure like more information on the analysis and fallout from this so that I could compare it to the CryptGenRandom concerns.--ParanoidMike 19:43, 27 August 2007 (UTC)[reply]

"Microsoft recommends its use in all software where random number generation is desired."[edit]

Sounds very un-NPOVish. Microsoft also recommends other operating systems to copy UAC, but nobody's taking them seriously. --Mike 18:59, 2 September 2007 (UTC)[reply]

I think Microsoft suggesting how best to use Microsoft software is very different from Microsoft telling other OSs what to do. --agr 01:31, 3 September 2007 (UTC)[reply]

This is not NPOV, this is API documentation. MSFT isn't making recommendations on how to use OpenSSL; they're saying that developers shouldn't write their own PRNGs when doing W32 crypto. --- tqbf 17:40, 12 November 2007 (UTC)[reply]

I'm not sure what the issue is here. We are not endorsing Microsoft's position. I read the sentence as establishing the importance of CryptGenRandom. Maybe some other wording might be better.--agr 17:56, 12 November 2007 (UTC)[reply]

It's pretty clear the way it is, and I don't think it should change. I may have resurrected a dead argument by replying to this, sorry. --- tqbf 18:02, 12 November 2007 (UTC)[reply]

Hebrew University Cryptanalysis[edit]

This deserves its own subsection of the article, which will also solve clumsiness and NPOV issues with threading it through the text. It's a cool paper, and it should be a focal point of the article, but it shouldn't be a factor in every single graf.

--- tqbf 17:44, 12 November 2007 (UTC)[reply]