Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zimmermann Enters Debate on Microsoft Encryption

Posted by michael on from the or-lack-of-it dept.

Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"

2 of 381 comments (clear)

  1. MS Encryption is a joke by bigtallmofo · · Score: 4, Informative

    I especially dislike their Encrypted File System (EFS). One of its highlights is that the first administrator account set up in a domain is designated an "Encrypted Data Recovery Agent". What does this mean? If you use your domain login at work to encrypt your data, the administrator has immediate ability to decrypt it anytime they want.

    How is this done? Every file that is written to an encrypted folder by User A has a private encryption key generated for it. That private encryption key is then encrypted with User A's public key and every designed Encrypted Data Recovery Agent's public key. Then either User A or any such recovery agent's private key can then decrypt the file.

    Of course, MS just lets lay users assume their "encrypted" files are private.

    --
    I'm a big tall mofo.
  2. Re:First rule of Microsoft encryption by Anonymous Coward · · Score: 4, Informative
    Wasn't RC4 closed source until the source leaked out on the web
    The algorithm was one of RSA's trade secrets. It wasn't the source that was leaked but a description of the algorithm. Consequently, third-parties implemented the algorithm and there was nothing RSA could do about it -- it wasn't patented, RSA preferring the trade secret route, and copyright didn't apply because you can't copyright algorithms.
    which were patched, and it was a better algorithm for being "open sourced", albeit against it's will.
    It wasn't improved as far as I know, but the algorithm is sometimes known as arcfour. This is because RC4 is trademarked. Perhaps you were thinking of this.

    Also, it is a little misleading to say it was "open sourced" against its will. Firstly, because it wasn't "open sourced" in the strictest sense but more importantly, RC4 is just an algorithm with many different implementations and an algorithmic description is information. And as we all know, information wants to be freeee.