Slashdot Mirror
Zimmermann Enters Debate on Microsoft Encryption
Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"
Do not use Microsoft encryption.
How else are we supposed to get access to all these works in 150 years time (or 50 in some countries) when the copyright expires on them.
thank God the internet isn't a human right.
Perhaps Microsoft should employ Mr. Zimmerman of PGP to fix M$'s broken code.
The fact that so many documents written (especially now) are using Microsoft formats, makes this problem very dangerous.
Its worth mentioning that any docuemtns that are actually worth protecting should by default not rely on Micrsofts (lack of) security, as it is a known trend that Microsoft fails time and time again to provide adaquate security.
People think "wow! encryption, and NOT a lame password". By as per normal, scratch a little deeper and you can see how flawed microsoft code actually is...
Zimmermann makes some Pretty Good Points in the interview.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I especially dislike their Encrypted File System (EFS). One of its highlights is that the first administrator account set up in a domain is designated an "Encrypted Data Recovery Agent". What does this mean? If you use your domain login at work to encrypt your data, the administrator has immediate ability to decrypt it anytime they want.
How is this done? Every file that is written to an encrypted folder by User A has a private encryption key generated for it. That private encryption key is then encrypted with User A's public key and every designed Encrypted Data Recovery Agent's public key. Then either User A or any such recovery agent's private key can then decrypt the file.
Of course, MS just lets lay users assume their "encrypted" files are private.
I'm a big tall mofo.
Why fix it in a free patch, when they can charge money for a new version that you have a reason to buy?
Microsoft should sort flaw and abandon RC4 in favour of better ciphers, says PGP creator.
By John E. Dunn, Techworld
Cryptography expert Phil Zimmermann has said he believes the flaw discovered in Microsoft's Word and Excel encryption is serious and warrants immediate attention.
"I think this is a serious flaw - it is highly exploitable. It is not a theoretical attack," said Zimmermann, referring to a flaw in Microsoft's use of RC4 document encryption unearthed recently by a researcher in Singapore.
"The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. [...] If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security."
Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure.
"Stream ciphers have to be used most carefully. Any failure to do this will result in a disastrous loss of security," Zimmermann said. "Even with a properly chosen initialisation vector, you have to run it for a while before the quality of the stream cipher is good enough to use." Contrary to Microsoft's claims that the issue was a "very low threat", he countered that gaining access to a document would not present problems for a determined hacker. "There are tools one can use to cryptanalyse messages in this way."
Even if the flaw was fixed, in his view a more fundamental problem was Microsoft's use of RC4, licensed from RSA Security.
"Why does Microsoft continue to use RC4 in this day and age? It has other security flaws that have been published in other papers," adding that "RC4 is a proprietary cipher and has not stood up well to peer review. They should just stop using RC4. It would be better to switch to a block cipher."
When contacted Microsoft, was unable to commit to a timescale for correcting the flaw but issued the following statement by way of a spokesperson: "Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process."
Zimmermann, meanwhile, emphasised the need for responsible disclosure of such problems. "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public," he said.
Phil Zimmermann is best-known as the creator of Pretty Good Privacy (PGP), a desktop encryption program that was powerful enough that the US authorities attempted to have its distribution stopped and Zimmermann imprisoned for writing it. The case was abandoned 1996. PGP was bought out by Network Associates, though an independent company, PGP Corporation, has since been spun out to develop its core technology.
You could always just dump their encryption and use PGP/GPG in its place.
Bah.... What does Bob Dylan know about encryption anyway. :)
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I wonder when someone writes a script to google for Word documents, get the protected ones out and decrypt them. Ought to be a fun project.
8 of 13 people found this answer helpful. Did you?
Well, seeing as how the majority of the world is using their software, they probably think it's obviously good enough, otherwise it wouldn't be used.
Total bull, but that's why they haven't change anything in IE for so many years.
MS considers it a low priority because there is no tool that currently is known to be available that can leverage the theoretical issues brought up in the paper. I agree with them. An issue is "high priority" when there is a tool that can be used by an end user now as an exploit. That is how you prioritize things in real life.
Am I the only one who saw "Zimmerman" and thought of the inventer of the Emergency Medical Hologram?
While Microsoft should probbably fess up and fix the problem, is this really such a big deal? Who uses Microsoft word encryption, and for what? It still sounds like you'd require multiple versions of the same document. That means either access to the data store itself where the document was being edited, or the user has passed around multiple versions to others.
I guess what it comes down to is expectations of security. It should be obvious to not use word to protect national secrets. Secret love letters to your mistress are still probbably safe from your wife though (unless she happens to be a crypto-expert). In that case it's probbably easier to just use a keylogger, or install a trojan horse.
AccountKiller
I've toyed around with MS's "encryption" and all I can say is the following:-
1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.
2) Files encrypted in Windows 2000 (the OS I tested then on) were still visible in their directories, despite their contents being encrypted. To me, this wasn't good enough. I wanted the whole filesystem to be encrypted, with plausible deniability that the files that certain files (or even file systems) never even existed.
To add injury to insult, I could easily become administrator with the EBCD and get the encryption key easily to break the encryption anyway.
3) Built in Windows encryption isn't good enough, forcing you to get third party products to do the job right. This means that you pay through the nose if you haven't got the technical skill to set up a Linux or BSD box running free encryption modules and samba.
But come on. If MS made a perfect operating system, they wouldn't have a business model selling updates. Instead of dropping support for old products, I'm almost expecting their next OS to have a use-by date embedded in their EULA and OS to FORCE you off their old system after so many years.... or else!
READY.
PRINT ""+-0
Their programmers might care, but M$ itself isn't interested in respect from the cryptographic community, because it's something that doesn't matter to their stockholders; it's too obscure for them to care about. M$ only responds to this kind of thing once the news gets out and the public begins to perceive it as a problem. Security through obscurity, remember? Basically, M$ are only in it for the money; a statement that explains their entire track record.
Dear security researchers,
You can try to crack our encryption all you want. Microsoft Office(TM) documents are still the most secure format in the world, since you still won't be able to render them properly even if you manage to decrypt them.
Sincerely,
The Microsoft Corporation
Least of all your US government. The NSA makes a bulletproof distribution of Linux, and other US government offices shun it in favour of Windows.
Sun Microsystems released Star Office, and a bunch of open source wonks built OpenOffice, with better track records. Yet US government offices shun them in favour of Microsoft Office.
I'm not sure why they do, especially an omniscent body like the US government who knows these things exist. It must be because they don't want to use them.
And every day users? Well, users could have taken e-mail content security into their own hands over a decade ago when PGP was out, or eight years ago when PGP for the Exchange client came out. But NO, they didn't want to use it. They could have used S/MIME which was slightly easier to use, but NO, they didn't want to use it.
Users don't care enough to demand strong encryption in their applications. And Microsoft is in business to make money. They aren't going to waste time making a product that no one will buy. And YOU, slashdotters, aren't going to convince users to buy an alternative through fear, uncertainty and doubt.
Use Evolution instead of Outlook? Bewa
Y'know, asking MS to fix an obscure bug in their encryption that took a dedicated researcher to find is pretty much pointless. Remember - these are the same guys that are having a hard time poking through their code and replacing all the strcpy() calls with strncpy().
Asking these guys to address this is like asking someone to turn off the faucet in a burning building.
Weaselmancer
rediculous.
Maybe everyone is just burned out and tired of the topic. We all know that the state of PCs in the world today is a vast, pathetic farce of biblical proportions thanks to MS. What's left to say about it? Windows is a shitpile, but people keep gobbling it up. Just like they gobble up all the other sludge in our culture. Nothing unusual to be seen here. Move along.
--- Ban humanity.
I see all the posts about how Microsoft encryption is a joke, etc.
Could it be that the poor encryption security was actually on purpose?
After all, they were using RC4. It should be secure right? (sarcasm) Isn't the problem simply that they re-used a key stream, or something like that? Something that is a basic design "blunder", but could really have been done on purpose. This might make it easy for certian parties to crack, but it might still seem secure. All of the code is properly implemented. The RC4 algorithm is properly implemented, gives correct outputs for known inputs, etc. The flaw is in how the algorithm is improperly used. Something that could be missed by anyone disassembling the code.
I'll leave it for someone else to reply here and speculate on the reasons that such a "blunder" might actually be deliberate. (I've got a malfunction in one of the antennas of my tin foil hat. I use the dual-antenna design of tin foil hats.)
I'll see your senator, and I'll raise you two judges.
*grin*
Just
In the article, Zimmerman bashes RC4, not just Microsoft. I think he's probably right. Why not use open-standard AES instead of RC4? (Or if you still have RSA on the brain, why not RC6, the RSA algorithm which was a runner-up in the Federal AES competition.)
Why care if the ball is leakign air?
---- Booth was a patriot ----
Uhm... yes, they REALLY care. I can tell you that being on the inside. Every project was halted and all employees took secure coding technique seminars. Right now security is a top priority for all MS products. We are now forced to undertake arduous Threat Modeling of our applications, and undergo repeated security checkpoints along the way. Once things are 'ready to ship' they first need to go through a dedicated security group that audits the source and the threat models and either turns away the software or allows it's release. So anyway, yeah, there's a hell of a lot of work around here when it comes to security. And it's very noticeable if you see the software coming out of here post- 2003.
As to whether they 'care' about this encryption thing. They are obviously looking into it. But the fact is Office is run by millions of people, so they can't just overhaul the encryption system and release a hotfix without breaking lots of stuff. So these things take time. I do hope they change their methods, though.
There is a lot of speculation here that Microsoft put in this encryption bug on purpose. That's giving them too much credit on this one. I just read the paper about the weakness. They are essentially reusing the same keystream more than once. That's an amateur level bug that is discussed in any crypto book that talks about stream ciphers. Look in the book Applied Crytography by Bruce Schneier in the section on cryptographic modes. He talks about this directly. This is not a minor threat. It's a gaping hole since a simple XOR of two versions of the document gives you a lot of information.
The bigger question is why Microsoft used a stream cipher for this. As Zimmerman mentions, they are more difficult to use correctly. Although some weakness in RC4 have been found, it is still possible to use it in a strong manner. You just have to be careful. It would have been better to use a good block cipher (AES, Triple DES, blowfish, etc) and a simple mode like CBC. It's easy to code and still plenty strong if you reuse the same initialization vector. Even better would have been a newer mode like CCM.
If you want to read about more technical details and social implications of the RC4 flaw, I highly recommend starting from Bruce Schneier on Security: Microsoft RC4 Flaw (January 18, 2005). There are a lot of informative links and interesting comments there.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Anytime you have physical access to a computer all bets are off as far as security.
That's simply not true in this case. Preventing access to data when physical security is breached is the primary reason for encrypted filesystems. The thief who has unrestricted "physical access" to your work laptop should not be able to crack into an encrypted filesystem, Emergency Boot CD or no.
If the encryption key is sitting there on the hard drive, protected only by user-based access control (as the grandparent post seems to imply) then the whole setup is horrendously broken. Such a stupid system is equally possible on Linux or Windows of course.
For encrypted filesystems to be meaningful, the encryption key needs to be protected by a decent password that's not stored anywhere on the disk (duh). Sure, it's a PITA to enter each time you boot your computer, but otherwise you might as well not bother.
1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.
That doesn't have anything to do with encryption. Anytime you have physical access to a computer all bets are off as far as security.
The grandparent was saying that in Windows, it is easy to recover the Administrator's password. This is bad because you can log in without a recovery CD, and the Administrator won't notice (his password will still be the same). In Linux, obtaining the root password is not so easy by default (because shadow uses a DES+salt hash by default) and nearly impossible if you set it up properly (if you use MD5 hash, which is the default for SuSE - don't know about other distros).
Linux encrypted filesystems I know almost nothing about, but I've also never seen a distribution that supports it out of the box.
As far as I am aware, every modern Linux distro supports encrypted filesystems out of the box (filesystems, not files - so the enemy can't even see your directory structure). Google for cryptoloop, and try it on your box... I personally use it for encrypting my swap partition.
I understand the reasons why everybody wants their computers secure, and that there's a lot at stake. But consider the security standards we accept in other aspects of our lives. If you have a 2-foot strip of metal with a notch in it you can open just about any car lock out there, and a crowbar can physically rip the lockset assembly right out of most people's front doors. Anybody who really wants to can get inside your house in seconds without undue commotion. All it really takes is brazenness, and maybe a hedge screening your front porch from view.
If we held car makers and home builders accountable for security flaws, our houses and cars would look a lot different, and they would STILL get broken into. I wouldn't want armed guards patrolling my neighborhood, or to go through an airport-like screening at the corner, any more than I would want to live the RIAA's wet dream of requesting authorization to display any video, sound or image with my own computer.
I wonder if the pursuit of total data security is a phantom, and we just have to accept a certain amount of risk and deal with it the best we can, possibly by not putting as much trust in our machines and networks as we would like to.