tags:

views:

65

answers:

3
+3  Q: 

Is RNGCryptoServiceProvider as good as a hardware RNG?

I'm attempting to work out whether a hardware RNG is actually any safer than RNGCryptoServiceProvider.

Given that randomness from RNGCryptoServiceProvider is provided using various system and user data such as the process ID, thread ID, system clock, system time, system counter, memory status, free disk clusters, and hashed user environment block along with international standard cryptography algorithms[ref], are there really any good reasons to use a hardware RNG for a security application, apart from speed?

EDIT: I would like to presume in all this that the computer on which the RNG is running is not comprimised - ie, there is no spying app on it.

+3  A: 

No, RNGCryptoServiceProvider is not as good as using hardware.

But it is a lot cheaper and available on every machine. And good enough (and fast enough) for most use cases.

Henk Holterman  2010-09-28 10:15:34
Interesting. What qualities does a hardware RNG posses that make it 'better'?
PaulG  2010-09-28 10:24:12
@PaulG: All the things that RNGCryptoServiceProvider uses to create a random number, as you listed them in your question, can be easily obtained by a program running on the machine, and thus the next random number to be generated can be calculated (i.e. a spying app), and the whole idea of randomness can be subverted. With a hardware-RNG, this is not possible, as it relies on an impossible-to-predict physical phenomena.
Allon Guralnek  2010-09-28 10:36:35
@PaulG: Hardware can be 'really' random. But with good software the diff becomes theoretical.
Henk Holterman  2010-09-28 10:38:58
I've edited the question with the presumption that the server security is not comprimised. Taking that into consideration can you give any reasons why it is not as good as hardware?
Tom  2010-09-28 10:52:41
@Tom: That answer is already given. Software remains deterministic an in theory predictable. In practice there is little risk.
Henk Holterman  2010-09-28 11:03:15
@Tom: It is a question about the "quality" of the random numbers. RNGCryptoServiceProvider doesn't give you a full bit of of entropy for every single bit you pull out. Instead you gain something around 0.9999998 bits (example value I made up). This means that you don't get a full 128 bits of security with a 128 bit key, you get 127.9999744 bits of security. With very few exceptions, the RNGCryptoServiceProvider is plenty good enough. If, though, you really need _perfect_ entropy, you should use dedicated hardware. Examples of this would be for CAs or master keys for high-value systems.
Eadwacer  2010-09-28 18:37:40
@Eadwacer "If, though, you really need perfect entropy, you should use dedicated hardware. Examples of this would be for CAs or master keys for high-value systems." Given that the 128bit key length is somewhat arbitrary, would it be fair to say that for all intents and purposes that RNGCryptoServiceProvider is as safe? A 256bit (or 129bit for that matter) RNGCryptoServiceProvider key would be as safe as a 128bit hardware generated one?
Mr. Flibble  2010-09-29 08:36:38
@Mr. Flibble, Yes, a 256 bit RNGCryptoServiceProvider key is certainly stronger than a 128 bit hardware key (remember I made up my numbers). However, there is still additional risk to not using hardware. The software is secure to the best of our current knowledge and research, the hardware is secure to a much higher level of confidence. When you are working in certain areas, you want to eliminate any uncertainty you can. When the government is securing classified information, or a company is encrypting millions of credit-cards, or a CA is generating its master key, its better to be more sure.
Eadwacer  2010-09-30 16:30:47
Ok. Thanks very much for taking the time to comment on this.
Mr. Flibble  2010-10-01 14:49:26
A: 

Its a great question, and I suspect the answer is (as Henk suggested) more theoretical. A hardware component could be employed to generate white noise, then sampled and used as a hardware RNG. In theory this would be 'more random' than using timings from the system.

In practice though, RNG's are put to the test when they go through FIPS certification. RNGCryptoServiceProvider has qualified through FIPS 140-2 certification (source: http://technet.microsoft.com/en-us/library/cc750357.aspx)

Some of the answers are based on a misconception that because the software RNG uses known sources for its input values, then those input values can be monitored and the seed discovered.

This isn't a true weakness (if it was the same could be said of the hardware RNG, we could monitor its current (single?) value and determine the seed)

The weakness (if any) is that most software RNG's use input sources that can be manipulated (to a degree) in software. This would allow spectacularly well crafted malware to manipulate the hardware to a point where the RNG outputs a predictable (ie non-random) number.

PaulG  2010-09-28 10:57:33
+1  A: 

Whatever parameters the PRNG implementation uses as a seed, they have a limited amount of entropy - at most the length of the representations of the values, but in reality much smaller (for example, PIDs are easy to restrict to a likely range; system time is very easy to guess accurately, etcetera). No matter how much data you generate from a PRNG seeded this way, the amount of entropy remains the same, and thus the amount of work required to determine the seed remains the same.

With a hardware RNG, in contrast, the amount of entropy is the amount of data generated. There's no possibility of brute-force searching the set of possible seed values, because there's no state to exploit.

Nick Johnson  2010-09-28 13:50:51
I am under the impression that RNGCryptoServiceProvider continually uses 'external' (memory status etc) factors. So it is not limited like a deterministic PRNG that you describe is.
Tom  2010-09-28 14:18:41
It's still limited to the amount of entropy it can obtain, and that amount is virtually guaranteed to be smaller than the amount of random data you generate.
Nick Johnson  2010-09-28 15:19:40

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?