Does Microsoft use Dual_EC_DRBG by default?

Question

So, as we all know, Dual_EC_DRBG contains an NSA back door. At this point, there is no reason to call it a "potential" or even an "alleged" back door; the presence is obvious even to the NY Times.

As we also know, RSA BSAFE has been using Dual_EC_DRBG by default, with a justification so stupid it can only be translated as "because NSA paid us to".

This comment on Ars Technica asserts that Microsoft also uses this generator. But I have seen claims to the contrary. Thus my questions are:

What PRNG does Windows Server use to generate private keys for Certificate Signing Requests?

What PRNG does Internet Explorer on Windows use to generate session keys? How about Chrome and Firefox on Windows?

What PRNG does IIS on Windows use to generate ephemeral key material for PFS?

I am most interested in the latest versions of all of these products, and certainly only those released after 2007. References or at least an air of authority are preferred.

Answer 1

The September 2013 supplemental ITL bulletin released by NIST has drawn attention to NIST publication SP 800-90A, Random Number Generation using Deterministic Random Number Generation; specifically the trustworthiness of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) algorithm. As a result, NIST strongly discourages the use of Dual EC DRBG until concerns with it are addressed in a future revision of SP 800-90A.

The Windows CNG cryptographic infrastructure provides an implementation of DUAL_EC_DRBG applications may use. The Windows Crypto development team has reviewed supported version of Windows and determined that no features or components included in Windows specifically uses Dual EC DRBG.

Windows has a mechanism for configuring the default RNG algorithm to be used by various parts of the system. The default configurations for Windows 8.1, Windows Server 2012R2, Windows 8, Windows Server 2012, Windows 7 and Windows Server 2008R2 do not use Dual EC DRBG as the default random number generator algorithm. The default random number generator algorithm for these versions of Windows is AES_CTR_DRBG from SP800-90a.

DRBGs rely on entropy to provide secure random number generation. Good entropy typically depends on hardware and other factors to ensure its randomness. Most applications rely on the platform to provide secure random numbers. I would expect that Chrome and Firefox would use the BCryptGenRandom to generate secure random numbers on Windows; however, each respective development team is more authoritative on how they generate random numbers when their browsers run on the Windows platform.

Mike Stephens Windows Program Manager, Cryptography

Answer 2

According to the BCryptGenRandom documentation

The default random number provider implements an algorithm for generating random numbers that complies with the NIST SP800-90 standard, specifically the CTR_DRBG portion of that >standard.

Specifically, according to this the default value is BCRYPT_RNG_ALGORITHM which is:

The random-number generator algorithm.Standard: FIPS 186-2, FIPS 140-2, NIST SP 800-90

Note Beginning with Windows Vista with SP1 and Windows Server 2008, the random number generator is based on the AES counter mode specified in the NIST SP 800-90 standard.

Windows Vista: The random number generator is based on the hash-based random number generator specified in the FIPS 186-2 standard.

Windows 8: Beginning with Windows 8, the RNG algorithm supports FIPS 186-3. Keys less than or equal to 1024 bits adhere to FIPS 186-2 and keys greater than 1024 to FIPS 186-3.

An obvious questions is if this is actually the random number generator running. It would be very easy of course to change the value of BCRYPT_RNG_ALGORITHM to BCRYPT_RNG_DUAL_EC_ALGORITHM, especially to specifically target systems or for targeted regions. Given that DUAL_EC_DRBG has a bias, this is testable, but I don't think anyone would typically check.