The random number generator is not compliant with Federal Processing Standard 140-2 in Windows Vista Service Pack 1 and in Windows Server 2008

The random number generator is not compliant with Federal Processing Standard 140-2 in Windows Vista Service Pack 1 and in Windows Server 2008

Article ID : 954059
Last Review : July 28, 2008
Revision : 1.0
On This Page

SYMPTOMS

In Windows Vista Service Pack 1 (SP1) and in Windows Server 2008, the random number generator (RNG) is not compliant with Federal Information Processing Standard (FIPS) 140-2.

This problem affects all the functions that use the RNG. The CryptoAPI function CryptGenRandom and the CNG function BCryptGenRandom use the RNG directly. Other functions that generate random numbers for keying material or for other purposes may also use the RNG indirectly.

Important This problem does not affect the external behavior of any functions that use the RNG. It does not affect the strength of any system cryptographic implementations. Additionally, it does not change cryptographic functionality in any other way.

Back to the top

CAUSE

This problem occurs because certain internal self-tests are missing from the RNG.

Back to the top

RESOLUTION

A hotfix is available to resolve this problem. This hotfix contains changes to the cryptographic libraries in Windows Vista SP1 and in Windows Server 2008. These changes make the RNG fully compliant with the requirements of FIPS 140-2.

Note This hotfix does not change the functionality of the RNG.

After you install this hotfix, all cryptographic binaries that are affected will be updated with versions that contain the required self-tests.

Back to the top

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a Hotfix download available section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)

Note The Hotfix download available form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Back to the top

Prerequisites

The following list contains prerequisites for the hotfix:

• Windows Vista SP 1 or Windows Server 2008

Back to the top

Restart requirement

You have to restart the computer after you apply this hotfix.

Back to the top

Hotfix replacement information

This hotfix replaces the following hotfix:

953535 (/Feedback.aspx?kbNumber=953535/) When many SSL connections are established on a Windows Server 2008-based computer, the computer eventually stops responding because of a memory leak

Back to the top

Registry information

To use one of the hotfixes in this package, you do not have to make any changes to the registry.

Back to the top

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista SP1 and Windows Server 2008, x86-based versions
File name File version File size Date Time Platform
Package_1_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,111 13-Jun-2008 17:14 Not Applicable
Package_2_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,278 13-Jun-2008 17:14 Not Applicable
Package_3_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,118 13-Jun-2008 17:14 Not Applicable
Package_4_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,119 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,367 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_client~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,431 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,422 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_sc~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,423 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,426 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_server~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,431 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,422 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,430 13-Jun-2008 17:14 Not Applicable
Update.mum Not Applicable 3,077 13-Jun-2008 17:14 Not Applicable
X86_29bb96108f142530a4b4139904adbb11_31bf3856ad364e35_6.0.6001.22202_none_76f028724b0cc0bc.manifest Not Applicable 698 13-Jun-2008 17:14 Not Applicable
X86_37886f5f471fe55abb2f04da46cc338e_31bf3856ad364e35_6.0.6001.22202_none_47432becc2a223bb.manifest Not Applicable 698 13-Jun-2008 17:14 Not Applicable
X86_3c26f70068358c36aa15c4a03aa99aeb_31bf3856ad364e35_6.0.6001.22202_none_319963a0c8e80f34.manifest Not Applicable 691 13-Jun-2008 17:14 Not Applicable
X86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.22202_none_ef1832b20881782e.manifest Not Applicable 3,700 13-Jun-2008 04:55 Not Applicable
X86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22202_none_a6d62a0775e707d5.manifest Not Applicable 34,373 13-Jun-2008 04:49 Not Applicable
X86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6001.22202_none_6052af0cca604873.manifest Not Applicable 5,704 13-Jun-2008 04:49 Not Applicable
Bcrypt.dll 6.0.6001.22202 274,432 13-Jun-2008 03:20 x86
Ksecdd.sys 6.0.6001.22202 441,400 13-Jun-2008 03:57 x86
Lsasrv.dll 6.0.6001.22202 1,255,424 13-Jun-2008 03:25 x86
Lsasrv.mof Not Applicable 13,780 18-Dec-2007 21:23 Not Applicable
Lsass.exe 6.0.6001.22202 9,728 13-Jun-2008 01:04 x86
Secur32.dll 6.0.6001.22202 72,704 13-Jun-2008 03:25 x86
Rsaenh.dll 6.0.6001.22202 243,256 13-Jun-2008 04:37 x86
Windows Vista SP1 and Windows Server 2008, x64-based versions
File name File version File size Date Time Platform
Package_1_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,111 13-Jun-2008 17:14 Not Applicable
Package_2_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,278 13-Jun-2008 17:14 Not Applicable
Package_3_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,118 13-Jun-2008 17:14 Not Applicable
Package_4_for_kb954059~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 3,119 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_client_1~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,367 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_client~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,431 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,422 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_sc~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,423 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_server_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,426 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_server~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,431 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,422 13-Jun-2008 17:14 Not Applicable
Package_for_kb954059_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mum Not Applicable 1,430 13-Jun-2008 17:14 Not Applicable
Update.mum Not Applicable 3,077 13-Jun-2008 17:14 Not Applicable
X86_29bb96108f142530a4b4139904adbb11_31bf3856ad364e35_6.0.6001.22202_none_76f028724b0cc0bc.manifest Not Applicable 698 13-Jun-2008 17:14 Not Applicable
X86_37886f5f471fe55abb2f04da46cc338e_31bf3856ad364e35_6.0.6001.22202_none_47432becc2a223bb.manifest Not Applicable 698 13-Jun-2008 17:14 Not Applicable
X86_3c26f70068358c36aa15c4a03aa99aeb_31bf3856ad364e35_6.0.6001.22202_none_319963a0c8e80f34.manifest Not Applicable 691 13-Jun-2008 17:14 Not Applicable
X86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.22202_none_ef1832b20881782e.manifest Not Applicable 3,700 13-Jun-2008 04:55 Not Applicable
X86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22202_none_a6d62a0775e707d5.manifest Not Applicable 34,373 13-Jun-2008 04:49 Not Applicable
X86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6001.22202_none_6052af0cca604873.manifest Not Applicable 5,704 13-Jun-2008 04:49 Not Applicable
Bcrypt.dll 6.0.6001.22202 274,432 13-Jun-2008 03:20 x86
Ksecdd.sys 6.0.6001.22202 441,400 13-Jun-2008 03:57 x86
Lsasrv.dll 6.0.6001.22202 1,255,424 13-Jun-2008 03:25 x86
Lsasrv.mof Not Applicable 13,780 18-Dec-2007 21:23 Not Applicable
Lsass.exe 6.0.6001.22202 9,728 13-Jun-2008 01:04 x86
Secur32.dll 6.0.6001.22202 72,704 13-Jun-2008 03:25 x86
Rsaenh.dll 6.0.6001.22202 243,256 13-Jun-2008 04:37 x86

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the Applies to section.

Back to the top

MORE INFORMATION

For more information about FIPS 140 evaluation, visit the following Microsoft Web site:

http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx?mfr=true (http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx?mfr=true)

For more information about the BCryptGenRandom function, visit the following Microsoft Web site:

http://msdn.microsoft.com/en-us/library/aa375458.aspx (http://msdn.microsoft.com/en-us/library/aa375458.aspx)

For more information about the CryptGenRandom function, visit the following Microsoft Web site:

http://msdn.microsoft.com/en-us/library/aa379942.aspx (http://msdn.microsoft.com/en-us/library/aa379942.aspx)

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 (/Feedback.aspx?kbNumber=824684/) Description of the standard terminology that is used to describe Microsoft software updates

Back to the top


APPLIES TO
• Windows Vista Service Pack 1, when used with:
    Windows Vista Enterprise 64-bit Edition
    Windows Vista Home Basic 64-bit Edition
    Windows Vista Home Premium 64-bit Edition
    Windows Vista Ultimate 64-bit Edition
    Windows Vista Business
    Windows Vista Business 64-bit Edition
    Windows Vista Enterprise
    Windows Vista Home Basic
    Windows Vista Home Premium
    Windows Vista Ultimate
• Windows Server 2008 Datacenter without Hyper-V
• Windows Server 2008 Enterprise without Hyper-V
• Windows Server 2008 for Itanium-Based Systems
• Windows Server 2008 Standard without Hyper-V
• Windows Server 2008 Datacenter
• Windows Server 2008 Enterprise
• Windows Server 2008 Standard

Back to the top

Keywords: 
kbautohotfix kbexpertiseadvanced kbfix kbqfe kbhotfixserver KB954059

Back to the top

   

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image