Microsoft Drops Aging Encryption Schemes 199
christchurch wrote to mention an Eweek column about Microsoft's decision to stop using DES, MD4, and MD5 for encryption in Vista. From the article: "All three algorithms show signs of 'extreme weakness' and have been banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said. The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit."
ROT13 (Score:5, Funny)
Re:ROT13 (Score:5, Funny)
Re:ROT13 (Score:5, Interesting)
Re:ROT13 (Score:2)
Interesting indeed.
(note: go into the subdirectories -- for me, the second one has TONS of stuff rot13'ed)
is MD4/5 really encryption ? (Score:5, Insightful)
i thought they where just one way hashing algos
Re:is MD4/5 really encryption ? (Score:5, Informative)
Re:is MD4/5 really encryption ? (Score:5, Informative)
There is some correctness in your comment, however: Authentication. Hashing is indeed for Authentication (Is someone who they say they are?). Encryption is for keeping data confidential (I only want foo and bar to be able to read this). Please do not mix these up!
Encryption -- hashing (Score:2, Informative)
A hashing algorithm, as we all know, is just a many-to-one function (not reversible in general). f(x)=0 is such a hash function. It exhibits disappointing collision characteristics, though. f(x)=x avoids this complication, although it is reversible. Uh oh, now Microsoft's gonna steal and patent my elite hashing algorithms.
Re:Encryption -- hashing (Score:2)
You can always just take your favorite symmetric key encryption algorithm and XOR successive blocks to produce a hash.
And you can always embed your favorite hashing algorithm in a Feistel network to create a block cipher. Not that it's a good idea.
Re:is MD4/5 really encryption ? (Score:2)
When you configure a Cryptographic Provider for a Certificate Server, you're asked to specify your choice of hashing algorithm (MD2, MD4, MD5, SHA-1). What's that for?
Re:is MD4/5 really encryption ? (Score:3, Interesting)
Re:is MD4/5 really encryption ? (Score:2, Informative)
Cisco TACACS+ is an example where MD5 encrypts a session.
You are correct, they are hashes (Score:2)
Well, there is ONE possible exception to this. You can use hashes for error-correction. If you have enough hashes over enough slices of the data, you could actually
Re:is MD4/5 really encryption ? (Score:2)
Re:is MD4/5 really encryption ? (Score:5, Informative)
Not quite.
Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.
It does not provide any confidentiality - but it's not supposed to, it is supposed to provide Integrity and message origin authentication.
This is the corner stone of digital signatures.
Re:is MD4/5 really encryption ? (Score:2)
This isn't true, and doesn't even make any sense.
Yes, for the particular plain-vanilla RSA scheme, the private key and public key are more-or-less "interchangeable."
For other public-key encryption schemes (e.g., ElGamal or Cramer-Shoup or Rabin or
Re:is MD4/5 really encryption ? (Score:2)
(He didn't claim they were interchangable. Though if you use a random RSA "public" exponent, you can generate a key pair and then decide which half to publish. In practice no-one does that of course.)
Re:is MD4/5 really encryption ? (Score:3, Insightful)
You would not use RSA & private key encryption for message authenticity. But that's something different.
Besides that, almost any cryptographic algorithm depends on a specific scheme or protocol (padding/hashing etc) to protect against crypto-analyses. Nowhere is said that the parent of your post was refering to "plain-vanilla" RSA either. That's like saying that if you talk about AES, you are being foolish, since
Re:is MD4/5 really encryption ? (Score:2)
This is correct if your goal is to maintain security of the contents of the data.
If you are signing then the grandparent is entirely correct. If I generate a hash of the data and encrypt it using my private key, others can use my public key to unencrypt the hash and verify the contents of the data. Since only me (or my organisation/group
Teamwork (Score:3, Funny)
As opposed to the quarterly update by managers ?
one down, one to go (Score:5, Insightful)
I mean, sure, it'll be much harder to brute force any MS encryption now, but did people do it that way before? Weren't there always other workarounds that will still be present?
Re: (Score:3, Insightful)
Re:one down, one to go (Score:3, Interesting)
I don't know what you mean by "predicting," but yes, concrete MD5 collisions exist. I.e., two files, with different contents, that have the same MD5 hash (and the same size, to boot). They are printed in the paper that first announced the MD5 break. Further work has shown that additional collisions can be generated at will in minutes on a common laptop computer.
Re:one down, one to go (Score:2)
Re:one down, one to go (Score:2)
That's kind of been our theory on this. Just because you can come up with something that matches doesn't necessarily mean that it even will look like the object that it's meant to replace. For example, I want to replace an RPM in a Linux distro with a rogue component yet still match the MD5 hash. Since I'm going to have to replace the rest of the RPMs with something that create the same hash, am I still going to have a functioning
Re:one down, one to go (Score:3, Insightful)
It's all about buzzword-compliancy. It's managers who decide on a company's spending; the managers read overhyped news about "SHA1 getting broken" while the only thing the recent papers provided was a very expensive method to brute-force a hash collision -- [b]any[/b] collision, not a message that matches a given hash. In the managers' minds, those encryption algorithms are worthless now -- and it's a very well-known fact that managers never accept being correct
Re:one down, one to go (Score:3, Insightful)
This is going to be a major (debatable) release for Microsoft after a long long time. Typically the time gap between major releases is huge for microsoft. In this time gap, all kinds of new attacks against crypto algos are discovered (http://it.slashdot.org/article.pl?sid=05/08/18/22 47245&tid=93&tid=172 [slashdot.org]).
If they
Re:one down, one to go (Score:2)
however, I'd like to point out two things:
(1) Attacks get better. The Sha-1 attacks are improving. They're at least 64 times faster now than the initial publication, which is itself about 2000 times better than a brute force attack. This is drawing near the range of computability now. Sure, not like WEP or LanMan computability, but it's still broken.
(2) Which is better? Continuing to support and enforce weak, fragile, or downright broken standa
Re:one down, one to go (Score:5, Insightful)
This is not about buzzword compliance. The three algorithms that they are banning should have been done away with years ago. DES has been fairly easily crackable via burute force for nearly a decade now, and MD4 has had issues for just about as long. And now that collisions can be found for MD4 essentially by hand, it shouldn't be used for anything of any importance.
Hell, even NIST is recommending that people start figuring out ways to phase out their use of SHA-1, which is still practically secure, but starting to show cracks. And if there ever was an orginization free of buzzwords, it's NIST (I dare you to read some of their FIPS documents without passing out).
This is a good move that nedeed to be done. It's a step in the right direction -- now they need to get on with shoring up the other holes in their codebase.
Re:one down, one to go (Score:5, Informative)
As a result of this, people could easily do a memory scan of lsass.exe to get the passwds of last few users who had logged on.
See http://www.cr0.net:8040/misc/cachedump.html [cr0.net]
Re:one down, one to go (Score:2)
In this particular case, it was a dll injection mechanism AFAIK.
Re:one down, one to go (Score:5, Insightful)
Re:one down, one to go (Score:2)
affects hardware upgrade cycles? (Score:2, Funny)
Gotta add more cycles to the those brute-force attack teams!
Automated checking (Score:5, Funny)
C:\ > make windows.vista
ERROR: Insecure code found.
Please upgrade code to Linux.
Re:Automated checking (Score:2)
Instead of investing in informing developers that those algorithms aren't really secure, and letting university CS courses around the world to do their job, Microsoft just forbids you to use them.
Btw, how can you write an application that has to retain compatibility wit
Re:Automated checking (Score:3, Insightful)
NIS is the biggest, steamiest pile of insecurity ever conceived... and NFS is built right on top of it. But nobody every screams and yells on slashdot about how insecure it is... I guess because it was developed by people who didn't work for the "evil empire".
Allowed by US Gov? (Score:4, Interesting)
Re:Allowed by US Gov? (Score:2, Informative)
which is yet another reason to offshore if you're multinational.
so imposing an export ban on software is kinda hard. seeing as it's hard to determine where it originates, without accessing the machines it was made on, - even that can be faked.
Re:Allowed by US Gov? (Score:2)
Re:Allowed by US Gov? (Score:5, Informative)
This got fought in court for years, and was eventually ruled unconstitutional, so the regulation was immediately transferred to the Commerce department, where it is fighting its way through the courts !!!again!!!. In the meantime, the departments involved have relented enough to permit big corporate campaign contributors, like Microsoft and the other OS vendors, to include basic encryption capabilities.
But the US government still would strongly prefer that all such tools have some form of backdoor. That's why they developed the Clipper chip for use in cell phones, which was dropped when it turned out to work well but could be reprogrammed with a genuinely private key with a bit of work, and why the "Trusted Computing" initiative by Microsoft and their peers keeps the master encryption keys in the hands of "authorized distributors", mostly Microsoft. This means you can't use the Trusted Computing chips without someone signing off on your keys because the system won't accept unsigned keys, and that means handing over money to buy a key and identifying yourself so that law enforcement can find you if your key turns up anywhere they don't like it. It also gives a convenient central location to serve with a subpoena to get your keys, without your ever being notified of the subpoena.
Various computer companies are willing to accept the centralized key and subpoena burdens in order to actually get robust encryption and authentication for their tools, but we need to be aware of the little details and their potential for abuse. Trusted Computing won't change the US regulations, but since they're regulations and not law, it's easy for the government to turn a blind eye at its own whim to its export, especially to prevent the general use of more robust or subpoena-safe encryption.
Re:Allowed by US Gov? (Score:2)
"...but since they're regulations and not law..."
Regulations are laws. (Yes, IAAL.) So no, it's not "easy for the government to turn a blind eye" to violations.
Makes me wonder how much more of your confidently penned reply is factually based.
Re:Allowed by US Gov? (Score:2)
So, presumably the government saw that rather than risk loosing control over encryption completly because of a supreme court decision or something, they decided
Re:Allowed by US Gov? (Score:5, Informative)
I thought that there was a limit of encryption and everything above ...bits was banned from exporting
That has changed. Back in the days of Windows NT 4, cryptographic algorithms were classified as munitions under ITAR [wikipedia.org]. In the late 90s the law was changed, removing this classification. These days, there are still some export controls on crypto, but it's fairly easy to get a permit to export anything that uses a standard, well-known algorithm, pretty much independent of key size.
As others noted, that changed (Score:2)
This was a major change in operation, as it used to be that the algorithms used for secret encryption were themselves secret.
What seems to have happened is the government has been made to realise that strong crypto exists all over the world. Thus to restrict is artifi
The real reason... (Score:5, Funny)
Re:The real reason... (Score:3, Interesting)
Windows no longer uses the insecure encryption that certain other OS' use, upgrade your security now, upgrade to Vista.
A classic quote to appeal to the PHB's and their ilk.
Re:The real reason... (Score:2)
Re:The real reason... (Score:5, Insightful)
Re:The real reason... (Score:2)
(Note: working from home right now, with three-year-old Office X -- don't know if current versions of Office still have the XOR option.)
improving encryption (Score:4, Funny)
Re:improving encryption (Score:2)
Re:improving encryption (Score:2)
I'm not sure but.... (Score:5, Interesting)
Re:I'm not sure but.... (Score:2)
Re:I'm not sure but.... (Score:5, Insightful)
Upgrade in the name of security!
Of you can go deep down in vista and enable an option for OLD/depreciated NTLM supported, giving you much popups about that your OS not being safe WARNIGN WARNING WARNING.!
Re:I'm not sure but.... (Score:2)
Microsoft has been a company which actually puts extra code in their kernel to keep buggy software compatible with its new releases (http://www.kuro5hin.org/story/2004/2/15/71552/779 5 [kuro5hin.org]).
Its hard to believe microsoft would actually go to this extent. On the other hand, they might be taking a very fresh approach to their new OS
Re:I'm not sure but.... (Score:2)
If they're mandating kerberos only they pretty much lock vista out of remote usage and make it LAN only.
Re:I'm not sure but.... (Score:2)
Re:I'm not sure but.... (Score:2)
So LM hashes are out! Yay! (Score:3, Insightful)
well good. It's about time. (Score:3, Interesting)
Ok, question: what does Windows use hashes for, other than the updater (if even that)? Can't the updater just change what it supports, and leave the other hash tools alone?
How about some real security enhancements, Gates?
Re:well good. It's about time. (Score:2)
Switching to SHA1 hashes only will break compatibility with everything earlier than XP.. which is probably what MS really want - force everyone to upgrade.
Doh ... (Score:3, Interesting)
Soon in Vista, 120xDES and AES implemented as default algorithms but windows media player will run any command sent remotely
Alte4rnative encyrption schemes available.. (Score:5, Funny)
Re:Alte4rnative encyrption schemes available.. (Score:2)
Re:Alte4rnative encyrption schemes available.. (Score:2, Funny)
RC4 (Score:2)
Isn't it time to abandon RC4 too while they are at it?
What about linux? (Score:2)
Re:What about linux? (Score:2)
Re:What about linux? (Score:5, Informative)
In case you're curious here's some info [redhat.com] on the redhat mailing list about it.
Note that this message is from 2003, but still not a lot has been done.
It is possible though... you can check if your system uses md5 or blowfish by looking in
Re:What about linux? (Score:2)
Bob
Firefox already supports AES/256 (Score:3, Interesting)
On the other hand, IIS and IE support nothing stronger than 128-bit RC4.. so be dropping RC4 they will lose compatibility with older versions of their own products, but maintain compatibility with their competitors.
AES & SHA256 are young (Score:4, Interesting)
Re:AES & SHA256 are young (Score:2)
Any encryption will be broken given enough time... for most people it really isn't an issue - for example your browser communication only needs to be 'secure' for about 10 seconds to do a transaction.
Re:AES & SHA256 are young (Score:5, Insightful)
I wouldn't call it a crack, more of a theoretical vulnerability. [schneier.com] When the attack's complexity exceeds the number of atoms in the universe, it doesn't seem much like a "crack".
Re:AES & SHA256 are young (Score:2)
Re:AES & SHA256 are young (Score:2)
If you know of an exploitable, real-world weakness in AES, there's a doctorate degree from any university in the world and a high six-figure salary with your name on it. The U. S. Government, in particular, would be interested in learning of a weakness in AES, since it uses AES for many secret and top secret-classified transactions.
Many people think yes (Score:2)
Do remember that AES was around long before it became AES. It was orignally Rijndael, which was first published in 1998. True, that's not the same as DES's multi-decade legacy, but it's still a long
Clean slate (Score:2)
Will this help the security of Vista? (Score:3, Insightful)
HTTP Digest (Score:5, Interesting)
I hope they'll still support that!
Re:HTTP Digest (Score:2)
The opportunity to break compatibility with all 3rd party browsers? MS will jump at the chance.
I'm guessing it'll be kerberos auth only.
Re:HTTP Digest (Score:3, Interesting)
Presumably MS hasn't changed that part of IE since version 1 and it will stay that way.
Re:HTTP Digest (Score:3, Funny)
MD5 is deprecated, but every web server still supports basic authentication, which uses Base64. Hmm.
64 is much bigger than 5, so it must be better.
Yup. No more digest authentication, only basic will be supported! Another security problem averted; quick: call the press!
So what's wrong with these? (Score:2, Insightful)
Re:So what's wrong with these? (Score:2)
And while this doesn't allow a lot of interesting attacks (though we have already seen where one can use these collisions to create two postscript documents or TIFF images that display different contents, but hash to the same value), it is still a major weakness with the algorithm that may lead to further more
Re:So what's wrong with these? (Score:2)
Re:So what's wrong with these? (Score:2)
Not even close.
The ideal hash function has an equal probability of all possible results for any given input. Let's look at a non-ideal one: h(x) = 1. Now, any input results in the same hash value. Is that email signature valid? Sure: it has the expected hash! Did that ISO come through intact? Sure: the hash matches! Wouldn't be very useful, would it? In this simplified example, returning a 1024-bit hash v
In other words... (Score:2, Funny)
In other words, Microsoft Drops AES?
Man, I'm so confused now.
OK, you can stop throwing
Translate to Devspeak (Score:3, Funny)
Microsoft will be marking the DES, MD4, MD5 and SHA1 encryption provider classes obselete in upcoming versions of the
Expired SHA (Score:2, Interesting)
Close the door and leave the windows open (Score:2)
The Real Question: TEA in XBOX 360? (Score:2)
If Microsoft is kind enough to continue using TEA encryption in the Xbox 360 for the bootstrap initialization, perhaps it will not be so unhackable.
Probably not, but my personal belief is that MS would be dumb to make it unhackable, as mod chips have probably been responsible for a lot of console sales, and in turn, a lot of good word-of-mouth PR in the trenches.
I hope they can get it right (Score:5, Informative)
What about RC4? (Score:2)
I hope They Fix .Net Then (Score:3, Insightful)
Re:I for one... (Score:2)
Re:MD4 and MD5 are not encryption schemes (Score:2, Informative)
Hashing algorithms can as well be used as stream ciphers. Since they have the property that they are "cryptographically secure" - ie. their output could as well have been random for all you care - they can be used to create a stream of pseudo-random bytes that you can XOR your messag
Re:MD4 and MD5 are not encryption schemes (Score:2)