GNU bug report logs -
#22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Previous Next
Reported by: Demetri Obenour <demetriobenour <at> gmail.com>
Date: Fri, 18 Dec 2015 10:09:01 UTC
Severity: normal
Tags: security
Found in version 24.5
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
> Can you audit the patch below? I know next to nothing about
> cryptography, and I'm not sure I understood all the flags involved in
> these APIs.
Sure! But please bear in mind I'm not experienced in crypto
either.
With regard to API usage: The call to CryptAcquireContext looks good
to me. (The comment about interoperability in the documentation for
the parameter "pszProvider" does not apply as we are not inter-
operating with anything. Setting "pszContainer" to NULL, as you have
done, is explicitly recommended. The docs for the individual flags
entail the very value of "dwFlags" that you use.) I can see nothing
else to comment on.
Re performance: using CryptGenRandom to provide a seed for srand
is enough to address Demetri's concern. For performance reasons,
as you said, implementing random() with CryptGenRandom is
potentially bad. I think random() itself should not be changed.
That said, rand() makes me uncomfortable (mostly because of bugs in
long-gone implementations, and superstition). Given the chance I would
replace it with an xorshift* generator. The generator at [1] seeded
with 64 bits from CryptGenRandom should give good performance for
random() and (I guess!) an effectively unassailable server secret.
But I have no good reason to claim that rand() is not good enough.
Thank you Eli.
[1]: https://en.wikipedia.org/w/index.php?title=Xorshift&oldid=697235156#xorshift.2A
This bug report was last modified 9 years and 180 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.