RandomBytes uses deprecated API (CryptAcquireContext) in Windows (use BCryptGenRandom) #524
Comments
|
We're using https://github.com/dsprenkels/randombytes/, which is where this should probably be discussed instead. |
thomwiggers
changed the title
|
I don't think any known security problems exist in the currently supported versions of Windows, so I'm removing "insecure" from the title of this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The RandomBytes implementation for Windows uses CryptAcquireContext/CryptGenRandom which has been deprecated for years and has been claimed to have security risks. Microsoft has also specified in it's documentation that this API may be removed from newer version of Windows. (details below)
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
https://en.wikipedia.org/wiki/CryptGenRandom
BCryptGenRandom is the recommended option as per Microsoft
https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal
https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
An example implementation at (not production tested):
https://github.com/DogeProtocol/hybrid-pqc/blob/main/random/randombytes.c
The text was updated successfully, but these errors were encountered: