Using mouse movement and keystrokes to generate entropy for encryption (As seen on MEGA)

Question

I am interested in generating entropy from mouse movements and keystrokes in .NET (for the purposes of encryption this could be either in a Forms application where the mouse movement and keystroke data is received via events in the application itself or in a web application where the mouse movement and keystroke data is recorded using JavaScript and sent to the server via Ajax.

This technique is being currently employed on the new MEGA site.

I have done a little research myself and came across what looks like a good example in C++ however it is a little outside my C/C++ knowledge.

http://etutorials.org/Programming/secure+programming/Chapter+11.+Random+Numbers/11.21+Gathering+Entropy+from+Mouse+Events+on+Windows/

    #include <windows.h>
    #include <wincrypt.h>
    #include <commctrl.h>

    #define SPC_ENTROPY_PER_SAMPLE  0.5
    #define SPC_MOUSE_DLGID         102
    #define SPC_PROGRESS_BARID      1000
    #define SPC_MOUSE_COLLECTID     1003
    #define SPC_MOUSE_STATIC        1002

    typedef struct {
      double     dEntropy;
      DWORD      cbRequested;
      POINT      ptLastPos;
      DWORD      dwLastTime;
      HCRYPTHASH hHash;
    } SPC_DIALOGDATA;

    typedef struct {
      POINT ptMousePos;
      DWORD dwTickCount;
    } SPC_MOUSEPOS;

    static BOOL CALLBACK MouseEntropyProc(HWND hwndDlg, UINT uMsg, WPARAM wParam,
                                          LPARAM lParam) {
      SPC_MOUSEPOS    MousePos;
      SPC_DIALOGDATA  *pDlgData;

      switch (uMsg) {
        case WM_INITDIALOG:
          pDlgData = (SPC_DIALOGDATA *)lParam;
          SetWindowLong(hwndDlg, DWL_USER, lParam);
          SendDlgItemMessage(hwndDlg, SPC_PROGRESS_BARID, PBM_SETRANGE32, 0,
                             pDlgData->cbRequested);
          return TRUE;

        case WM_COMMAND:
          if (LOWORD(wParam) =  = IDOK && HIWORD(wParam) =  = BN_CLICKED) {
            EndDialog(hwndDlg, TRUE);
            return TRUE;
          }
          break;

        case WM_MOUSEMOVE:
          pDlgData = (SPC_DIALOGDATA *)GetWindowLong(hwndDlg, DWL_USER);
          if (pDlgData->dEntropy < pDlgData->cbRequested) {
            MousePos.ptMousePos.x = LOWORD(lParam);
            MousePos.ptMousePos.y = HIWORD(lParam);
            MousePos.dwTickCount  = GetTickCount(  );
            ClientToScreen(hwndDlg, &(MousePos.ptMousePos));
            CryptHashData(pDlgData->hHash, (BYTE *)&MousePos, sizeof(MousePos), 0);
            if ((MousePos.ptMousePos.x != pDlgData->ptLastPos.x ||
                 MousePos.ptMousePos.y != pDlgData->ptLastPos.y)  && 
                MousePos.dwTickCount - pDlgData->dwLastTime > 100) {
              pDlgData->ptLastPos = MousePos.ptMousePos;
              pDlgData->dwLastTime = MousePos.dwTickCount;
              pDlgData->dEntropy += SPC_ENTROPY_PER_SAMPLE;
              SendDlgItemMessage(hwndDlg, SPC_PROGRESS_BARID, PBM_SETPOS,
                                 (WPARAM)pDlgData->dEntropy, 0);
              if (pDlgData->dEntropy >= pDlgData->cbRequested) {
                EnableWindow(GetDlgItem(hwndDlg, IDOK), TRUE);
                SetFocus(GetDlgItem(hwndDlg, IDOK));
                MessageBeep(0xFFFFFFFF);
              }
            }
          }
          return TRUE;
      }

      return FALSE;
    }

    BOOL SpcGatherMouseEntropy(HINSTANCE hInstance, HWND hWndParent, 
                                  BYTE *pbOutput, DWORD cbOutput) {
      BOOL           bResult = FALSE;
      BYTE           *pbHashData = 0;
      DWORD          cbHashData, dwByteCount = sizeof(DWORD);
      HCRYPTHASH     hHash = 0;
      HCRYPTPROV     hProvider = 0;
      SPC_DIALOGDATA DialogData;

      if (!CryptAcquireContext(&hProvider, 0, MS_DEF_PROV, PROV_RSA_FULL,
                              CRYPT_VERIFYCONTEXT)) goto done;
      if (!CryptCreateHash(hProvider, CALG_SHA1, 0, 0, &hHash)) goto done;
      if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&cbHashData, &dwByteCount,
                             0)) goto done;
      if (cbOutput > cbHashData) goto done;
      if (!(pbHashData = (BYTE *)LocalAlloc(LMEM_FIXED, cbHashData))) goto done;

      DialogData.dEntropy     = 0.0;
      DialogData.cbRequested = cbOutput * 8;
      DialogData.hHash        = hHash;
      DialogData.dwLastTime   = 0;
      GetCursorPos(&(DialogData.ptLastPos));

      bResult = DialogBoxParam(hInstance, MAKEINTRESOURCE(SPC_MOUSE_DLGID),
                               hWndParent, MouseEntropyProc, (LPARAM)&DialogData);

      if (bResult) {
        if (!CryptGetHashParam(hHash, HP_HASHVAL, pbHashData, &cbHashData, 0))
          bResult = FALSE;
        else
          CopyMemory(pbOutput, pbHashData, cbOutput);
      }

    done:
      if (pbHashData) LocalFree(pbHashData);
      if (hHash) CryptDestroyHash(hHash);
      if (hProvider) CryptReleaseContext(hProvider, 0);
      return bResult;
    }
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine,
                   int nShowCmd) {
  BYTE                 pbEntropy[20];
  INITCOMMONCONTROLSEX CommonControls;

  CommonControls.dwSize = sizeof(CommonControls);
  CommonControls.dwICC  = ICC_PROGRESS_CLASS;
  InitCommonControlsEx(&CommonControls);
  SpcGatherMouseEntropy(hInstance, 0, pbEntropy, sizeof(pbEntropy));
  return 0;
}

If anyone can shed some light onto how to achieve this via .NET (C# or VB.Net is fine) would be most helpful.

Thanks in Advance.

Chris

Answer 1

You don't have to do that, Microsoft have already done it for you. The built in .NET method RNGCryptoServiceProvider.GetBytes() provides good quality true random bytes derived from Windows CryptGenRandom. To quote RFC 4086:

The Windows CryptAPI cryptographic service provider stores a seed state variable with every user. When CryptGenRandom is called, this is combined with any randomness provided in the call and with various system and user data such as the process ID, thread ID, system clock, system time, system counter, memory status, free disk clusters, and hashed user environment block. This data is all fed to SHA-1, and the output is used to seed an RC4 key stream. That key stream is used to produce the pseudo-random data requested and to update the user's seed state variable.

Users of Windows ".NET" will probably find it easier to use the RNGCryptoServiceProvider.GetBytes method interface.

There is no need to re-invent the wheel, it has already been built for you.