What entropy sources are available on Windows?

Question

I want to produce a random cryptographic key on Windows. Where can I obtain entropy?

I would like my entropy function to work without a network connection and to be reliable on Windows 2000 and upwards. Even sources which may or may not provide a small amount of entropy could be useful as all the sources will be pooled.

This is my initial list of functions:

GetCurrentProcessID, GetCurrentThreadID, GetTickCount, GetLocalTime, QueryPerformanceCounter, GlobalMemoryStatus, GetDiskFreeSpace, GetComputerName, GetUserName, GetCursorPos, GetMessageTime, GetSystemInfo, CryptGenRandom, GetProcessHandleCount, GetProcessMemoryInfo.

Answer 1

Although early versions of the CryptGenRandom function may contain weaknesses later versions follow secure standards (see remarks on the CrypGenRandom page.)

It is weak to just use time as your seed. There is an answer under What is the most secure seed for random number generation? which explains that the unpredictable random seed may only need 128 bits to produce a secure PRNG. It is therefore probably unnecessary to find more sources than those listed in the question, and normally the CryptGenRandom function will already contain and generate enough entropy for itself that the caller does not need to do any of this.

CryptGenRandom and the function CryptAcquireContext which must preceed it can be called from Delphi like this.

Answer 2

If its an option you can ask user to move mouse pointer for a while.