Microsoft Drops Aging Encryption Schemes

christchurch wrote to mention an Eweek column about Microsoft's decision to stop using DES, MD4, and MD5 for encryption in Vista. From the article: "All three algorithms show signs of 'extreme weakness' and have been banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said. The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit."

ROT13

Presumably they haven't banned ROT13 then.

Re:ROT13

They havent banned Double ROT13 either and it is twice as secure!!! So Double Double ROT13 should be 4 times as secure, so on and so one...

Re:ROT13

[wertarbyte]

Funny enough, IIRC Outlook Express is still not able to encrypt messages with ROT13. It just has the ability to decode them.

Re:ROT13

It wasn't banned for XP. Check out HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist to see for yourself.

Re:ROT13

[VJ42]

ab, gurl unia'g ;p

Re:ROT13

v pregnvayl ubcr abg!

Re:ROT13

[dpilot]

Is there anything off-the-shelf to do rot13 in Firefox?

Re:ROT13

[illuvata]

http://leetkey.mozdev.org/

Re:ROT13

[Council]

Check out HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist to see for yourself.

Interesting indeed.

(note: go into the subdirectories -- for me, the second one has TONS of stuff rot13'ed)

Re:ROT13

[woah]

v pregnvayl ubcr abg!

er... pregnant uber bag?

Makes sense!

Re:ROT13

[metzara]

This is the User Assist history. If you rerotate, you should find that its a complete history of programs and in some cases shortcuts that the user has run.

Re:ROT13

[a.d.trick]

Come on, we all know that we should be using at least 2ROT13[warning:pdf] by now.

Re:ROT13

[pssldt]

This message has been double-ROT13-encrypted for your protection....

Re:ROT13

[silverkniveshotmail.]

Wouldn't it be fairly easy to set up a program that would grab a part of the "encrypted" text and basically brute force it until 'real' words were found?

is MD4/5 really encryption ?

i thought they where just one way hashing algos

Re:is MD4/5 really encryption ?

Yeah, they're rather used to digitally sign files.

Re:is MD4/5 really encryption ?

[iamplasma]

Well, it is true that they're hashes, not encryption methods but they can be used in a quasi-encryption manner. In particular, when it comes to hashing passwords to store an "encrypted" password, it is to a large extent the same as trying to break a known encrypted document where the key is the password. In fact, that's exactly how older unices store passwords, DES encrypting a blank document with the password as a key. So while it's true that MD5 isn't an encryption method, for the purposes of password authentication is it practically identical.

Re:is MD4/5 really encryption ?

Not completely correct. You sign a document by hashing it and then encrypting the hash with your secret key. So everyone else can check that you signed it by decrypting the hash, hashing the document themselves and comparing the two hashes.

Re:is MD4/5 really encryption ?

Actually, MD5 can be (ab)used to act as a stream ciper. Roughly, MD5 can generate a pseudo-random stream of bits, by running it in a feedback loop primed with a secret key. This stream is then XORed with the data to provide encryption. The receoved uses the same feedback loop with the same key to XOR the ciphertext with the stream to recover the plaintext.

Cisco TACACS+ is an example where MD5 encrypts a session.

Re:is MD4/5 really encryption ?

[JFitzsimmons]

That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt.

Re:is MD4/5 really encryption ?

[MoogMan]

No. no. no. Encryption is reversible. Hashing is not. These are definitions, please stick to them. Encryption != Hashing. Once again, for brevity (as lots of people get this wrong): Hashing is NOT Encryption.

There is some correctness in your comment, however: Authentication. Hashing is indeed for Authentication (Is someone who they say they are?). Encryption is for keeping data confidential (I only want foo and bar to be able to read this). Please do not mix these up!

Re:is MD4/5 really encryption ?

MD5 is used in VeriSign, I think, for adding the digital signature to your software so you know it is "secure"

Re:is MD4/5 really encryption ?

" That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt."

Not quite.

Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.

It does not provide any confidentiality - but it's not supposed to, it is supposed to provide Integrity and message origin authentication.

This is the corner stone of digital signatures.

Re:is MD4/5 really encryption ?

[dermond]

you can use a hash algorithem as 2 way encryption:
produce a bit stream from:

k0=key
k(n)=hash(k(n-1))
and xor your plaintext with the stream of k(1),k(2),...
or something similar, including the plaintext or the cyphertext of the last step in the next step. this is not a good encryption if the hash algorithem is not specially designed for that purpose..

Re:is MD4/5 really encryption ?

[D-Cypell]

"That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt."

This is correct if your goal is to maintain security of the contents of the data.

If you are signing then the grandparent is entirely correct. If I generate a hash of the data and encrypt it using my private key, others can use my public key to unencrypt the hash and verify the contents of the data. Since only me (or my organisation/group) have access to the private key, it is possible for 'the public' to use my public key to verify that it was indeed me who 'signed' the hash.

Essentially, public key cryptography works both ways depending on what your goals are.

Re:is MD4/5 really encryption ?

[david_scholefield]

Surely using an MD5 hash as a 'one-time pad' for encryption isn't very wise? The whole point of one-time pad encryption is that the 'pad' is truely random (the advice is to use a truely random bit stream from a hardware device)? Also, for this kind of encryption to be very secure, the pad has to be at least as long as the plaintext because repitition allows for easier anlysis.

Re:is MD4/5 really encryption ?

[hhghghghh]

It's no different from any other non-one-time-pad stream cipher. Yes, the randomness is limited, it's limited to the initial secret's entropy and MD5's cutoff (128 bits), which isn't that bad.

AES also isn't a one time pad, but there is a mode for it, pretty similar to the one described by the grandparent poster, where you feed it a key, and you keep reencrypting the previous result against it to get another block of bits; the intermediate results you use for XORring against your plaintext. This is referred to as using another "mode" of AES, stream mode. (there's also counter mode and OFB etc., but I'm a bit rusty, so I'll shut up now. pick up applied cryptography by bruce schneier as an introduction)

Re:is MD4/5 really encryption ?

[cpeikert]

Any data encrypted with a private key can be decrypted only with the public key.

This isn't true, and doesn't even make any sense.

Yes, for the particular plain-vanilla RSA scheme, the private key and public key are more-or-less "interchangeable."

For other public-key encryption schemes (e.g., ElGamal or Cramer-Shoup or Rabin or ...), the keys are not interchangeable; they're completely different mathematical objects. You can't decrypt anything with the public key. You can't encrypt anything with the private key.

Further, plain-vanilla RSA is not, and should not be used for encryption or authentication. Extra padding, hashing, and other operations are needed to make it secure against realistic attacks. Therefore, public and private keys are not interchangeable for any kind of real-world crypto based on RSA.

Re:is MD4/5 really encryption ?

[armb]

It would be better worded as "anything that has a valid decryption with a public key must have been encrypted with the private key", but it's true of PKCS#1 RSA, not just plain-vanilla X.509.

(He didn't claim they were interchangable. Though if you use a random RSA "public" exponent, you can generate a key pair and then decide which half to publish. In practice no-one does that of course.)

Re:is MD4/5 really encryption ?

This is really true mostly in the case of RSA and RSA-like public key systems. In fact I'm not certain all asymmetrical systems work this way (I'm thinking of DSA/DSS) but I don't remember.

This is not the case for the symmetrical (and in most cases hashes) that microsoft claims to no longer be using.

How'd this discussion get onto public-key anyway? Most public key systems are valid because they started with key sizes that are much larger and you can't brute force those (you could brute force primes, but that takes more time than n=n+1)... so a 512 bit rsa key hasn't had as much scrutiny as a 56 bit des key... these are being phased out because of their size, not a necessary defect. Of course this isn't true for the hash algorithms.

More to the point, this doesn't do a thing for making sure Microsoft correctly implements any of these. RC4 is a great stream cipher... if you use it right. But more people find a way to misuse it than you'd believe. That's a more important security concern.

Re:is MD4/5 really encryption ?

[jafac]

I don't understand.

When you configure a Cryptographic Provider for a Certificate Server, you're asked to specify your choice of hashing algorithm (MD2, MD4, MD5, SHA-1). What's that for?

Re:is MD4/5 really encryption ?

That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt.

Not quite.

Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.

Not quite.

Just because a crypto system has 2 keys (a public and a private) doesn't mean that the private key can do encryption (which is what we call authentication). RSA is capable of authentication, but Diffie-Hellman is not.

Diffie Helman can only be used to encrypt using the public key. You cannot encrypt using the private key. Technically you don't encrypt with Diffie Hellman, you only exchange session keys.

Re:is MD4/5 really encryption ?

[cpeikert]

All I'm saying is that the phrase "encrypted with the private key" is, in general, nonsensical. Ditto for "decrypted with the public key."

For particular schemes, the keys might be interchangeable. But the original poster asserted this about public-key crypto in general, which is a widely-held misconception that ought to be fixed.

Also, even with RSA you don't get authenticity by simply raising the message to the private key; there are easy forgery attacks for that. So it's not accurate to say that RSA signatures are simply "encrypting the message with the private key."

Re:is MD4/5 really encryption ?

[42forty-two42]

While this is true for RSA, it does not hold for all split key encryption systems - eg, DSA or ElGamal.

Re:is MD4/5 really encryption ?

[owlstead]

That's about signing things really. Certificates are signed by computing a hash over the certificate. This hash is then encrypted with the private key of the signer, which results in the signature in the certificate.

The receiving party can validate the certificate by hashing the certificate just like the sending party did. If the receiving party then decrypts the signature with the public key he gets the hash as calculated by the sender. He can now validate the certificate by binary comparing the hashes.

The reason why the hash is used here is that it is very time-consuming to encrypt the whole certificate.

Re:is MD4/5 really encryption ?

[owlstead]

You could use hashing for encryption. Just create a starting value which you call the key. Then hash this key. Hash the hash of the key. Hash the hash of the hash of the key. Concatenate all the hashes and xor with the data you wish to encrypt. You have now invented the slowest stream cipher in history. Enjoy :).

Re:is MD4/5 really encryption ?

[owlstead]

The parent had things completely right for RSA. You are trying to put things out of context.

You would not use RSA & private key encryption for message authenticity. But that's something different.

Besides that, almost any cryptographic algorithm depends on a specific scheme or protocol (padding/hashing etc) to protect against crypto-analyses. Nowhere is said that the parent of your post was refering to "plain-vanilla" RSA either. That's like saying that if you talk about AES, you are being foolish, since you have to use CBC instead of ECB to be secure. Yeah, well, duh!

Re:is MD4/5 really encryption ?

[jafac]

So - then it doesn't matter if the hash algorithm is breakable? Since the hash gets encrypted? Or can the "broken" hash be used as a shortcut to attack the encryption?

Re:is MD4/5 really encryption ?

No. no. no. Encryption is reversible. Hashing is not. These are definitions, please stick to them.

I suppose you only speak one language? Have you got any idea what encryption actually means? It's not like it's a word that's used just for computer purposes.

Re:is MD4/5 really encryption ?

[owlstead]

Currently signatures that are placed by a trusted party are quite safe. What can be done with MD5 is generating two messages with more or less any data. You can extend those messages and generate the same hash over both messages. Now you could sign both hashes, and you can e.g. replace one piece of code by another. It's pretty easy to make code do something completely different, even though you have the same hash. So MD5 should not be used for code signing.

I created a small shell script and a script like it with the same hash. They did both something different, but unfortunately the hacked script didn't run because of a bad character at the end of the script (still, running and not running with the same MD5 hash is already something.

Teamwork

[Ruie]

The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit

As opposed to the quarterly update by managers ?

one down, one to go

[cryptoz]

Even if Vista and related products use higher encryption, Windows' obsessive temp file creation, along with swap files, seems to minimize the effect that using encryption has, right?

I mean, sure, it'll be much harder to brute force any MS encryption now, but did people do it that way before? Weren't there always other workarounds that will still be present?

Re:one down, one to go

[KiloByte]

This change has nothing to do with security.
It's all about buzzword-compliancy. It's managers who decide on a company's spending; the managers read overhyped news about "SHA1 getting broken" while the only thing the recent papers provided was a very expensive method to brute-force a hash collision -- [b]any[/b] collision, not a message that matches a given hash. In the managers' minds, those encryption algorithms are worthless now -- and it's a very well-known fact that managers never accept being corrected by those who know better.

This policy is just like getting a million dollar certified oxygen tank and then securing it with a clothesline peg. Who cares that the end result is flaky, if you can claim that you used the best tank available!?

Re:one down, one to go

[amodm]

Add to it the fact that they didn't use to clear off the clear text passwd (as entered by user) from the memory.

As a result of this, people could easily do a memory scan of lsass.exe to get the passwds of last few users who had logged on.

See http://www.cr0.net:8040/misc/cachedump.html

Re:one down, one to go

[sqlrob]

It's been done. A story on /. a month or two ago.

Re:one down, one to go

[RealityMogul]

I wonder if they're still going to support the LANMAN hashes in Vista. Nothing is quite as smart as storing the easily cracked hash right next to the more secure one.

Re:one down, one to go

I remember that one. The data they "predicted" was found in analytical ways, meaning "predicted" was not really a good word to use. Plus the mass amount of data they had to shove onto the end was crazy. Wake me when they can attach executable code to any section of a program.

Re:one down, one to go

[amodm]

While I agree with your "securing a million dollar tank with a clothesline peg" statement, the actual discard of the older algos might make a lot of sense from a decision making perspective.

This is going to be a major (debatable) release for Microsoft after a long long time. Typically the time gap between major releases is huge for microsoft. In this time gap, all kinds of new attacks against crypto algos are discovered (http://it.slashdot.org/article.pl?sid=05/08/18/22 47245&tid=93&tid=172).

If they don't drop the old algos, they are basically promising support for them for that major gap of time, in which it can become quite vulnerable. By choosing the latest (plus highly verified world over) algos, they are at least trying to be in a safe position (which of course can be compromised by other ways, but thats not the point i'm making here).

From a management perspective, it makes good sense to discard the old algos.

Re:one down, one to go

[jmulvey]

Forgive me if the original link has the answer to this (I tried to visit it, but must be overloaded).

But if you can attach a memory debugger to the lsass.exe file, then you've already got very high-level privileges on the box. I fail to see how this is relevant from a practical security perspective.

Anytime a user is entering their password into a form field, that information is going to be stored in memory somewhere.

Re:one down, one to go

[DenDave]

Indeed, but what is interesting is that this may cause some challenges to *nix-windows interoperability. Many installed linux servers will have been using the "older" encryption bases for domain logons and samba shares. These are not unovercomeable but may prove to be challenging on the implementation side.

Re:one down, one to go

[ComputerizedYoga]

your "weakest link" argument makes an interesting point ...

however, I'd like to point out two things:

(1) Attacks get better. The Sha-1 attacks are improving. They're at least 64 times faster now than the initial publication, which is itself about 2000 times better than a brute force attack. This is drawing near the range of computability now. Sure, not like WEP or LanMan computability, but it's still broken.

(2) Which is better? Continuing to support and enforce weak, fragile, or downright broken standards? Or moving to stronger, standardized algorithms? Even if other parts of the chain may still weak, that doesn't mean that working on strengthening the chain is a waste of time, and the view you're suggesting is saying that they shouldn't bother trying to fix it at all, just let it break.

Further along the same line, isn't it better to prepare for the future, when the warning signs are all there pointing at practical exploits for algorithms we're using now, maybe as soon as 5 years from now? Especially given that Microsoft's policies on product lifecycle promise at least 5 years of support on whatever platform they're looking at.

Who knows what Vista will bring to the security table? But if it's the same sort of improvement over XP-SP2 that SP2 was over a fresh install, I'll be more than glad to see it. And it sounds like they're learning the crypto lessons that they were ignoring before, which is really the key to that.

Re:one down, one to go

From my understanding MD5 works by taking a chunk of the input and passing it through a function and then works it's way up or down the input. If this is so if you can append the right block to the end of a file you can engineer it so it has the same hash as any other file.

At the moment I think it's fairly trivial (but no code has been unpublished?) for a fast machine (I think the paper said they used a 2Ghz P4 based laptop in less than a few hours) to generate two texts that hash to the same value, but I don't think they've accomplished what the parent is getting at yet. It's safe to say it's very feasible though.

Also for some purposes like message authentication (which requires a secret key) I believe MD5 is still very useable.

Re:one down, one to go

[halr9000]

To address the temp and swap file issues, you can use tools to wipe them on a regular basis. This website has a lot of useful information about that.

Also you might want to try TrueCrypt. You could use that to encrypt your entire temp drive. I am not sure, but I don't believe it will let you encrypt the swap file itself.

Re:one down, one to go

This is Microsoft's (vain) attempt at showing the world that they care about computer security. Unfortunately the majority of the computer geeks know better than this.

Re:one down, one to go

[sqlrob]

They published 2 files, both with the same hash, both postscript files that printed to 2 entirely different things. If you signed the hash, you signed both the documents.

Re:one down, one to go

[Threni]

> You could use that to encrypt your entire temp drive

If it's an NTFS drive isn't it encrypted already? And if the encryption system currently employed is lame, couldn't they simply use one which wasn't?

Re:one down, one to go

[cpeikert]

As far as I am aware, predicting a md5 collision has not been done.

I don't know what you mean by "predicting," but yes, concrete MD5 collisions exist. I.e., two files, with different contents, that have the same MD5 hash (and the same size, to boot). They are printed in the paper that first announced the MD5 break. Further work has shown that additional collisions can be generated at will in minutes on a common laptop computer.

Re:one down, one to go

[Fahrenheit+450]

I was going to mod you Overrated, but I decided to post instead.

This is not about buzzword compliance. The three algorithms that they are banning should have been done away with years ago. DES has been fairly easily crackable via burute force for nearly a decade now, and MD4 has had issues for just about as long. And now that collisions can be found for MD4 essentially by hand, it shouldn't be used for anything of any importance.

Hell, even NIST is recommending that people start figuring out ways to phase out their use of SHA-1, which is still practically secure, but starting to show cracks. And if there ever was an orginization free of buzzwords, it's NIST (I dare you to read some of their FIPS documents without passing out).

This is a good move that nedeed to be done. It's a step in the right direction -- now they need to get on with shoring up the other holes in their codebase.

Re:one down, one to go

[amodm]

You are absolutely correct. But in the history of windows, actually it has been rather easy to elevate the priveleges (Ever came across LSA in list of exploits for windows ?)

In this particular case, it was a dll injection mechanism AFAIK.

Re:one down, one to go

[toddbu]

Wake me when they can attach executable code to any section of a program.

That's kind of been our theory on this. Just because you can come up with something that matches doesn't necessarily mean that it even will look like the object that it's meant to replace. For example, I want to replace an RPM in a Linux distro with a rogue component yet still match the MD5 hash. Since I'm going to have to replace the rest of the RPMs with something that create the same hash, am I still going to have a functioning Linux distro when I'm done? Or perhaps I'll attempt to pad the data, but then will the new file size not make it obvious that the data has been tampered with?

Re:one down, one to go

[jonadab]

All else being equal, newer algorithms aren't inherently safer than older ones and won't necessarily take longer to become obsolete. Schneier goes so far as to say that new crypto algoritms should not be trusted until they've stood the test of time for a while.

Of course, there are older algoriths, and then there are older algorithms with known flaws (of varying degrees of severity), so the above is just a general observation.

The issue of key size is different; the same algorithm with a larger key will generally be more durable over time, so moving to the largest key size that's practical with current hardware would be a Good Thing; if a vulnerability in the algorithm is subsequently discovered, the larger key size doesn't really *solve* that problem, but it can help to reduce the impact.

Re:one down, one to go

[Eivind]

Did everyone really think you could find a unique 32 character string for every possible combination and size of data out there?

No. Infact, I sincerely hope that noone believed that. That is clearly mathemathically impossible.

Consider a smaller, but otherwise identical, problem:

Find a unique 2-digit identifier for each person in a 300 person group.

When you think about it, that's obviously not possible since there's only 100 different 2-digit identifiers, and 100 different identifiers for 300 people mean that different people *have* to have the same id.

Secure hashes are still possible though, (or atleast we have no proof or indication that they're not), but the definition of "secure" doesn't include "has no collisions", only "collisions are hard to find". In an ideal hash, there's no simpler way of finding colisions than simply hashing random strings until you by chanse find two that have the same hash.

If the hash is 64-bit, this will happen at the latest when you've hashed 2**64+1 strings, and at average when you've hashed around the square root of that.

When we say a hash is "broken" we mean that someone has found a way of generating two different files with the same hash with a complexity lower than that.

affects hardware upgrade cycles?

[qwertphobia]

Great... yet another reason to upgrade hardware when planning for a Vista install.

Gotta add more cycles to the those brute-force attack teams!

Automated checking

[LiquidCoooled]

Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

C:\ > make windows.vista
ERROR: Insecure code found.
Please upgrade code to Linux.

Re:Automated checking

[kid_oliva]

Yes, yes , your funny. I like Linux too. One of the reason's there is not as many security issues is that every script kiddie and mal-hacker is not out there trying to break Linux. Imagine how many security holes could be closed if half the people that always try to break Windows platforms focused on Linux. We would have an even more secure platform that the industry would have a hard time competeing with.

Keep the flames away. The point I am bringing out is that the Windows platforms have become more secure because of the continued scrutiny. Gates may put out a flawed product, but then everybody helps him fix it ; )

Re:Automated checking

[LiquidCoooled]

I agree totally, many grey/black hats are exploring MS code for holes to exploit, and when identified they either start to be exploited, or they go into a closed backroom session to try and fix them privately (makes sense really). The only trouble with this is the time it takes to actually produce a fix. I think its improving, and MS appears to be "getting it" a lot more recently.

Open Source does not magically solve every problem, but where it shines above closed systems is when a hole is identified, it can be looked on and picked over and solved much quicker than a closed source product.
However, I personally think Firefox has this wrong at present, whereby identified bug discussions can be censored. It could lead to a backlash of sorts if the fixes are buried for a long time.

Re:Automated checking

[jmulvey]

I totally agree. Compare Microsoft's reaction to security problems with what has happened in the *nix world with NFS and NIS.

NIS is the biggest, steamiest pile of insecurity ever conceived... and NFS is built right on top of it. But nobody every screams and yells on slashdot about how insecure it is... I guess because it was developed by people who didn't work for the "evil empire".

Re:Automated checking

[tchernobog]

After not being able to see source code, more strict DRM management, and monitoring of incoming/outgoing connections, yet another freedom that goes away: the one to code wtf-ing algo you want (oh, sorry: I forgot software patents, of course).

Instead of investing in informing developers that those algorithms aren't really secure, and letting university CS courses around the world to do their job, Microsoft just forbids you to use them.

Btw, how can you write an application that has to retain compatibility with old formats, for example, if it used these functions?

(Probably the output will be a warning, not actually a fatal error, but who knows with MS? "banned" sounds like a strong word to me.)

Re:Automated checking

NFS does not require NIS.

Re:Automated checking

[dmh20002]

uh, they are talking about what they do in their own code, in Microsoft products. You are free to use whatever algorithms you want in your own stuff.

Allowed by US Gov?

[guruevi]

Is that even allowed by US Gov. to export that to other countries? I thought that there was a limit of encryption and everything above ...bits was banned from exporting (remembering 56-bits encryption Windows NT).

Re:Allowed by US Gov?

[Xiph]

well, if the people writing the encryption are in china, they're not exporting it but importing it.
which is yet another reason to offshore if you're multinational.

so imposing an export ban on software is kinda hard. seeing as it's hard to determine where it originates, without accessing the machines it was made on, - even that can be faked.

Re:Allowed by US Gov?

Unfortunately it's not that simple. The way the US government sees it, if you do business in the US, you're covered by their laws; and so if your company does business in the US, and also sells encryption software to Cuba or Iran, you can bet your life your US office will be prosecuted, whether your HQ is in Brazil or Belize.

Re:Allowed by US Gov?

[Mz6]

It's called Export Control. Usually it falls under products that are developed by Government Contracting companies that sell their products to the Government. For example, if Lockheed Martin develops a new propulsion technology for rockets and sells it to the US Government, it would be Export Controlled and Lockheed would not be allowed to sell or even share details about that technology to customers/vendors outside of the US. Doing so, is an export violation and subject to fines and penalties under US Law.

Re:Allowed by US Gov?

[Antique+Geekmeister]

It's more complex than that. There used to be a regulation in the US Customs department that forbade exporting encryption tools, classifying them as a "munition" or material of war. The result was that OS vendors would put the encryption tools on a separate tape or CD, to be shipped only if you swore on a stack of Constitutions that you were allowed to receive it. For years, the only way to be sure of getting your copy of PGP source code was to download it from Finland, which had no such silly laws.

This got fought in court for years, and was eventually ruled unconstitutional, so the regulation was immediately transferred to the Commerce department, where it is fighting its way through the courts !!!again!!!. In the meantime, the departments involved have relented enough to permit big corporate campaign contributors, like Microsoft and the other OS vendors, to include basic encryption capabilities.

But the US government still would strongly prefer that all such tools have some form of backdoor. That's why they developed the Clipper chip for use in cell phones, which was dropped when it turned out to work well but could be reprogrammed with a genuinely private key with a bit of work, and why the "Trusted Computing" initiative by Microsoft and their peers keeps the master encryption keys in the hands of "authorized distributors", mostly Microsoft. This means you can't use the Trusted Computing chips without someone signing off on your keys because the system won't accept unsigned keys, and that means handing over money to buy a key and identifying yourself so that law enforcement can find you if your key turns up anywhere they don't like it. It also gives a convenient central location to serve with a subpoena to get your keys, without your ever being notified of the subpoena.

Various computer companies are willing to accept the centralized key and subpoena burdens in order to actually get robust encryption and authentication for their tools, but we need to be aware of the little details and their potential for abuse. Trusted Computing won't change the US regulations, but since they're regulations and not law, it's easy for the government to turn a blind eye at its own whim to its export, especially to prevent the general use of more robust or subpoena-safe encryption.

Re:Allowed by US Gov?

[jonwil]

The law was loosened up quite a bit when someone (I cant remember who and google isnt turning up any usefull links) went to challenge the export regulations in the courts (AFAIK it was under freedom of speech where they wanted to be able to share source code for encryption and discuss algorithims and such but were not allowed to by the export regs).

So, presumably the government saw that rather than risk loosing control over encryption completly because of a supreme court decision or something, they decided to just relax the laws.

Re:Allowed by US Gov?

[swillden]

I thought that there was a limit of encryption and everything above ...bits was banned from exporting

That has changed. Back in the days of Windows NT 4, cryptographic algorithms were classified as munitions under ITAR. In the late 90s the law was changed, removing this classification. These days, there are still some export controls on crypto, but it's fairly easy to get a permit to export anything that uses a standard, well-known algorithm, pretty much independent of key size.

Re:Allowed by US Gov?

[NetCow]

Daniel Bernstein: http://export.cr.yp.to/

Re:Allowed by US Gov?

Not only that, but it's interesting to note that one of the important things about the export controls is that courts have ruled that distributing source code to out-of-country users is considered to be free speech. This was how PGP was first spread successfully overseas. MIT printed up machine-readable books of PGP code and sent them to someone in Europe, who then scanned them in and compiled the code into binaries.

Interesting trivia: the judge who ruled on this issue was Judge Marilyn Hall Patel, who later would become famous for being the judge who ruled against Napster in the case that effectively shut them down.

Re:Allowed by US Gov?

[judmarc]

"...but since they're regulations and not law..."

Regulations are laws. (Yes, IAAL.) So no, it's not "easy for the government to turn a blind eye" to violations.

Makes me wonder how much more of your confidently penned reply is factually based.

Re:Allowed by US Gov?

[KillShill]

sounds like those "well-known" algorithms have been backdoored or at least there are easy ways to decrypt them.

i mean why allow them to be exported if they are indeed "secure"?

Re:Allowed by US Gov?

[Antique+Geekmeister]

I was making the distinction between laws written by Congress, and regulations decided on their own by whichever administrator of a regulatory agency happens to be in charge. Regulations are far more easily revised, repealed, created and discarded because they're essentially invented by a small executive group, rather than a large legislative one. For how regulations are far more easily ignored than laws, take a look at the FDA, the SEC, the DEA, and Department of Commerce's enforcemtns of encryption regulations. Congress does make some of the laws they enforce, but a lot of it is made up by them out of their own internal policies.

Re:Allowed by US Gov?

[somersault]

because they are standards and everyone else can already use them anyway? I would think that if I were in Iran a few googles would bring up some good articles about encryption etc.. or I could order a book on advanced encryption from amazon etc.. from what was said above though, the encryption techniques that Microsoft are going to use are international standards now.

The real reason...

[bigtallmofo]

DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which are "way too complicated to understand," said Michael Howard, senior security program manager at the company. "Instead, our R&D lab is doing great things with sophisticated XOR encryption that should be enough security for just about anyone."

Re:The real reason...

[frankthechicken]

I actually think the real reason could be pure marketing.

Windows no longer uses the insecure encryption that certain other OS' use, upgrade your security now, upgrade to Vista.

A classic quote to appeal to the PHB's and their ilk.

Re:The real reason...

[scruffy]

In addition, Microsoft doesn't hold any patents on those algorithms, and they have open specifications.

Re:The real reason...

[Otter]

I was about to say -- I wonder if they'll be dropping that ultra-secure XOR encryption option from Excel password protection!

(Note: working from home right now, with three-year-old Office X -- don't know if current versions of Office still have the XOR option.)

Re:The real reason...

[halleluja]

Instead, our R&D lab is doing great things with sophisticated XOR encryption that should be enough security for just about anyone."

XOR offers the best security -- it's a hassle though to keep your keys safe as they are as long as the plaintext.

Re:The real reason...

[Bert64]

Except that linux, apache, mozilla etc, have supported 256-bit aes for years, and only support weaker ciphers in order to maintain compatibility with microsoft systems, the current versions of which don`t support anything stronger than 128-bit rc4.

Re:The real reason...

[TerranFury]

Hey, XOR is great for one-time-pads...

Re:The real reason...

640k ... that should be enough for just about anyone.

improving encryption

[myukew]

this post is rot13 encrypted. twice. to improve security.

Re:improving encryption

[EnsilZah]

With the power of today's computers twice just isn't enough.
You'll need to use atleast rot13 x 1024k to be really secure.

Re:improving encryption

It appears you just posted the plain text and not the cypher text. If you'd like to encrypt anything else in the future, just send it to me, and i'll send back the encrypted document and your private key and this mistake won't happen again.

Re:improving encryption

I can't read your post, it appears to have been encrypted somehow.

(with apologies to whoever I stole this joke from.)

Re:improving encryption

[HermanAB]

Bah - my post is double DES encrypted. It is much more secure than your Ceasar cypher.

Re:improving encryption

[the_weasel]

Humbug. My post is merely incoherent. Beat that.

Re:improving encryption

[vliktor]

This post is rot13 encrypted.. four times. to improve security.

I'm not sure but....

[amodm]

wasn't NTLM slightly based on/uses DES ? If thats the case, then does it mean that they are changing the algo used in SAM too ?

Re:I'm not sure but....

[r2q2]

Yes you are correct. NTLM uses DES encryption to generate a hash of the password. See http://www.samba.org/samba/docs/man/Samba-Develope rs-Guide/pwencrypt.html for more information.

Re:I'm not sure but....

[pete-classic]

My UID is prime is yours?

Yes.

-Peter

Re:I'm not sure but....

[leuk_he]

Yep, what means you have to upgrade to an supported OS to be able to connect vista? Since win2000 is not supoorted they won't be upgraded and they cannot connect to vista.

Upgrade in the name of security!

Of you can go deep down in vista and enable an option for OLD/depreciated NTLM supported, giving you much popups about that your OS not being safe WARNIGN WARNING WARNING.!

Re:I'm not sure but....

[amodm]

But along with Win2k, doesn't that break connectivity with WinXP too ? AFAIK WinXP also uses NTLM (v2 I guess).

Microsoft has been a company which actually puts extra code in their kernel to keep buggy software compatible with its new releases (http://www.kuro5hin.org/story/2004/2/15/71552/779 5).

Its hard to believe microsoft would actually go to this extent. On the other hand, they might be taking a very fresh approach to their new OS

Re:I'm not sure but....

[Tony+Hoyle]

Especially over VPNs where kerberos is problematic (since MS kerberos has no kinit you can't connect to multiple kerberos domains) NTLMv2 is pretty much the only usable protocol.

If they're mandating kerberos only they pretty much lock vista out of remote usage and make it LAN only.

Re:I'm not sure but....

[leuk_he]

xp is still supported, meaning they might upgrade any interface for XP. For windows 2000 they don't have to do that and just will yell that it is an unsupported OS.

Re:I'm not sure but....

[Nimey]

You, sir, are a dipshit. W2K SP2 and newer support NTLM2 authentication. SP[234] is a *free* upgrade to W2K. If anyone is theoretically at fault, it would be IT departments who won't upgrade their W2K boxen.

Re:I'm not sure but....

[DRobson]

NTLM is based on the following steps,

• Convert the password to unicode (if not already)
• Calculate the MD4 hash of the unicode password
• DES encrpyt the password using the user's unique system identifier

Obvious problems that come to mind are: MD4 being well and truly broken, system identifiers for certain accounts (Eg, administrator) are constants and you can generally ask servers to use previous versions of the system for backwards compatibility.

IIRC, NTLMv2 uses an HMAC-MD5 which is relatively secure from an analytical attack viewpoint. Still massively bruteforceable if you've got a weak password.

This (and other little bits I've seen) leads me to wild speculation that the SAM can store multiple different password hash types, but someone else can probably tell you with more authority.

Re:I'm not sure but....

[leuk_he]

you mean.... The it department who did not upgrade to linux.

this is /. after alll

Re:I'm not sure but....

[eglass1]

NTLMv2 is based on MD4 and MD5... which would also (hypothetically) be deprecated.

Re:I'm not sure but....

No, it is:

• Convert the password to unicode
• Calculate the MD4 hash of the unicode password
• Null-pad the 16-byte hash to 21 bytes
• Split this into three 7-byte DES keys
• DES-encrypt the 8-byte challenge from the server with each key
• Concatenate the three ciphertexts into the 24-byte NTLM response

SIDs do not play a role in NTLM authentication (or any of the variants); they are used for authorization (rather than authentication).

The SAM stores both the LM hash (although this can be disabled) and the NTLM hash (which is the MD4 of the unicode password). The NTLMv2 hash is the HMAC-MD5 of the uppercase unicode username + uppercase unicode authentication domain, using the NTLM hash as the key. As it can be derived from the NTLM hash, the NTLMv2 hash is not stored separately.

There are several attacks to recover the password from the old LM hash; all of which are practically irrelevant. If you have access to the raw hashes themselves (LM, NTLM, or NTLMv2), you can impersonate the user over the network (as the response to the server's challenge is calculated using the hash, not the plaintext password). The hash is effectively a plaintext equivalent.

Comment removed

[account_deleted]

Comment removed based on user account deletion

So LM hashes are out! Yay!

If this is true then LM hashes, which use DES, are on their way out finally. It's going to break some backwards compatibility, but it will go a long way in fixing some of the most obvious, http://www.antsight.com/zsl/rainbowcrack/, privelage escalation problems.

I for one...

[guruevi]

V sbe bar jrypbzr bhe ebg13 bireybeqf -> If you can't read this you're obviously 1: dyslexic 2: a Windows administrator (which is a fancy name for 1) 3: ...

Re:I for one...

[abb3w]

3: routinely spend far too much time doing the newspaper's daily cryptogram instead of your job.

Re:I for one...

You can't read a ROT13 if you spend too much time doing cryptograms? Erm.. maybe I'm missing something, but I'm curious about what leads you to that conclusion...

Re:MD4 and MD5 are not encryption schemes

I always wondered why they use hashing for the passwords. The other day someone at my school forgot their XP password and it took me less than 30 minutes to "crack" it.

In line with their usual policy...

[relaxrelax]

In keeping with their usual policy...

They haven't banned it until they were in the "extreme weakness" zone. Because the urgent, grave, critical, spam-zombie script kiddie friendly since last year, heavy, moderate, or obscure-but-total-system-compromised weakness categories aren't enough for them to fix it. And they only react to "extreme weakness" twice a year tsk tsk tsk...

Sort of like the slammer virus fix not being part of their "hotfixes" service and delayed 6 months to be in a service pack, and a warning 2 weeks before the service pack to make sure evil doers get a head start they ignored 6 months before (due to too many other weaknesses easily used by the average script kiddy)...

Since security is their big concern this time around (according to many press releases and ads), where does that leave all other aspect of the next windows? How can it possibly get any worse?

well good. It's about time.

[dAzED1]

Anyone that disagrees that removing these "encryption" methods is bad, is obviously just a troll. /sarcasm

Ok, question: what does Windows use hashes for, other than the updater (if even that)? Can't the updater just change what it supports, and leave the other hash tools alone?

How about some real security enhancements, Gates?

Doh ...

[BlueTrin]

Anyway they can use whichever algorithm they want ... bad implementation/planning is the cause of their security holes.

Soon in Vista, 120xDES and AES implemented as default algorithms but windows media player will run any command sent remotely ...

Re:Doh ...

[owlstead]

"120xDES and AES implemented"

Why would you want to implement DES 120 times? Or were you planning to do 120 encipherments with 2 or 3 keys? Or with 120 seperate (different) keys?

Maybe you are referring to triple DES, 2 key encipherment in EDE mode? That's 112 bits mind you, not 120 (128 bits, every least significant bit a parity bit over the higher bits in a byte -> 128 - 16 = 112).

Alte4rnative encyrption schemes available..

[Rob+T+Firefly]

Microsoft has promised additional encryption schemes for power users, including ig-pay atin-lay, leaving out every third word, and Navajo code talkers.

Re:Alte4rnative encyrption schemes available..

[trongey]

Have you ever tried to crack Navajo code talk?

Re:Alte4rnative encyrption schemes available..

[Rob+T+Firefly]

Not yet, I'm currently devoting all my clock cycles to elderly Italian relatives' hand signals.

RC4

[Jacco+de+Leeuw]

Yeah, but Microsoft continues to use RC4 in protocols such as SSL and RDP...

Isn't it time to abandon RC4 too while they are at it?

So put the security code in a separate module

If they simply established a standard interface for the security code and put the code in its own module, they could update the security algorithm without touching anything else. Then they don't have to worry about telling people to change their code; just link it to the new security module.

What about linux?

[buddha42]

Has any major distro changed or announced plans to change their password hash format in /etc/shadow?

Re:What about linux?

[ltbarcly]

*BSD gives you the option to use blowfish instead of MD5. I would assume that Linux distros could be modified to do this with almost no effort.

Re:What about linux?

[flithm]

This has already been done.

In case you're curious here's some info on the redhat mailing list about it.

Note that this message is from 2003, but still not a lot has been done.

It is possible though... you can check if your system uses md5 or blowfish by looking in /etc/shadow. If the passwords start with $1$ that means it's MD5, if it says $2$ that's blowfish.

Re:What about linux?

[CowboyBob500]

I'm on a standard install of SuSE 9.3 Pro and passwords in /etc/shadow start with $2$, so I guess Novell are on the ball at least.

Bob

Re:What about linux?

If someone can read your /etc/shadow you are pretty much hosed anyways, so there isn't really much point.

Firefox already supports AES/256

[Bert64]

Firefox and other mozilla based browsers already support 256-bit AES encryption for ssl websites, as does apache..
On the other hand, IIS and IE support nothing stronger than 128-bit RC4.. so be dropping RC4 they will lose compatibility with older versions of their own products, but maintain compatibility with their competitors.

Re:Firefox already supports AES/256

You didn't read the article, did you?
This is about guidelines of what to use in new code, it is not a product decision about internet explorer or a discussion about backward compatibility,

AES & SHA256 are young

[mjh]

These are newcomers. Shouldn't that give us some pause as to how much we should rely on them? Yes they've been well studied. But compare AES with DES. It's been around forever and the only weakness that we know of is keylength. Do we really have enough exposure to the "new guys" to put confidence in them to switch everything to them?

Re:AES & SHA256 are young

[hitchgoat]

Presumably DES-EDE will still be supported...

Re:AES & SHA256 are young

[Tony+Hoyle]

There's already a crack for AES.. check the archives.

Any encryption will be broken given enough time... for most people it really isn't an issue - for example your browser communication only needs to be 'secure' for about 10 seconds to do a transaction.

Re:AES & SHA256 are young

[Thuktun]

There's already a crack for AES.. check the archives.

I wouldn't call it a crack, more of a theoretical vulnerability. When the attack's complexity exceeds the number of atoms in the universe, it doesn't seem much like a "crack".

Re:AES & SHA256 are young

[Professor_UNIX]

If you want to continue to rely on the old DES algorithm then use 3DES. I imagine Microsoft won't be removing that anytime soon.

Re:AES & SHA256 are young

[DRobson]

Problem with hash algorithms is we've really only got SHA left at the moment and that's even gradually starting to come down. Other than that the only algorithm I can think of is RIPEMD160 or WHIRLPOOL and I'm not sure how many people are willing to bet their security on them.

Re:AES & SHA256 are young

[A+beautiful+mind]

Bwahahah. One of the stupidest post i've ever seen to get modded up to 5.

Re:AES & SHA256 are young

[SpocksLoveChild]

Another point is that, whereas the design of AES algorithm is completely disclosed, some part of the DES design(or rather it's exact rational), the design of the so-called s-boxes, are still not publicly known.

This might be considered a benefit, as it means(very roughly speaking) that a feasable attack on DES can only base itself on brute force, since the algorithm to a certain extent remains a black box where you can only consider the input and output. For the same reason 3DES with a 168bit key can be considered completely secure, because a brute force attack on it is provably unfeasable with the computing power currently available.

The same cannot be said for AES, even with larger key sizes, as analysis of it's algorithmn may someday(is it hasn't already happened) lay bare a fatal weakness of some kind.

Re:AES & SHA256 are young

[miaomix]

That, and DES has a lovely mathematical weakness where it can be broken down in to 1-bit vector operations. Makes 2.6 GHz 64-bit process break it real fast. You can through ALOT of 1-8 character passwords at that in a VERY short time. heck, my 240MHz 64-bit PA-RISC with vectirized 1 bit operations ran cracking stuff faster than my 32-bit 450MHz PIII when I used to do password auditing.

Re:AES & SHA256 are young

[EchoMirage]

AES & SHA256 are young. These are newcomers.

If you know of an exploitable, real-world weakness in AES, there's a doctorate degree from any university in the world and a high six-figure salary with your name on it. The U. S. Government, in particular, would be interested in learning of a weakness in AES, since it uses AES for many secret and top secret-classified transactions.

Re:AES & SHA256 are young

[owlstead]

Yes, we have. AES has not so many rounds, and this is a theoretical weakness. A *very* theoretical weakness indeed. Please read "practical cryptography" by bruce schneier for more details. There a few other very strong ciphers mentioned there as well.

The existence of weak keys as well as the small block size makes cuts your "only weakness" argement -er- *WRONG* as well. Besides that, DES is pretty slow compared to AES and most other modern block ciphers.

The only reason to use 3DES is backwards compatibility. This is a pretty strong argument though, but for new or flexible protocols (like SSL as used in HTTPS), one *SHOULD* use one of AES-128/SHA-256/RSA-2048/EC-160 as minimum.

Re:AES & SHA256 are young

[Marcus81]

Well if that's the case then consider this: Since we have nuclear fusion occurring naturally in stars, the number of atoms in the universe is being reduced slowly. This in turn makes it hard to predict when the number of atoms present comes to a dangerously low level because it in turn affects the relative strength of the AES algorithm :-) Conclusion: depracate and devise a new algorithm while we still have time ;-)

Encryption

[certel]

Hmm. I think that they have other things they need to worry about.

Clean slate

[ChrisF79]

I wonder if Microsoft sees new products as a fresh start and a chance to completely redeem themselves from prior flaws. I would expect them to have a series of meetings to say, "Where did we go wrong last time" and vow to eliminate those issues. Let's hope they use this opportunity to release something solid and stable from the beginning. We can't expect perfection, but they can definitely do better than they have in the past.

HAHAHAHAHA!!!

Oh MAN! Double ROT13!!! That's like...no encryption at all, so there would be no point in using it! But you humourously suggested that it would be secure which is SO HILARIOUS - that's one gag I've never seen before on Slashdot, ever. Quite incredible. Sir, I salute you.

Dude!

You forgot the punchline...

3) Profit!

Will this help the security of Vista?

[hritcu]

Well ... I know that these criptography standards are begining to be dated, and it is very likely that we will see more successful brute force atacks on them in the following years. However, I wonder if changing them will have a noticeable positive effect on the security of Vista. How many of the many exploitable holes in Windows XP are due to bad criptography, and how many are due to bad design and policies?

Whats wrong with MD5?

As far as my limited knowledge extends, MD5 is fairly safe as long as you use it for the right purpose and include a long enough salt (which is kept secret).

Other than building up MD5 databases, can someone explain what is wrong with MD5.

If you were to find a MD5 string that has been hashed using a salt, surely it would be impossible to find the original string?

HTTP Digest

[hey]

MD5 is used in the HTTP digest authenticattion.
I hope they'll still support that!

Re:HTTP Digest

[Tony+Hoyle]

Presumably not.

The opportunity to break compatibility with all 3rd party browsers? MS will jump at the chance.

I'm guessing it'll be kerberos auth only.

Re:HTTP Digest

[HermanAB]

Only flagged in new code.

Presumably MS hasn't changed that part of IE since version 1 and it will stay that way.

Re:HTTP Digest

[multipartmixed]

(Putting on pointy-hair wig)

MD5 is deprecated, but every web server still supports basic authentication, which uses Base64. Hmm.

64 is much bigger than 5, so it must be better.

Yup. No more digest authentication, only basic will be supported! Another security problem averted; quick: call the press!

Re:HTTP Digest

Why?

Digest authentication isn't all that secure. All it does is keep the password from being sent over the network in cleartext. It doesn't prevent replay attacks. If you want a secure HTTP authentication method, Basic authentication over SSL is, for all intents and purposes, just as secure as Digest authentication over SSL.

Why have an authentication method that purports to give added security when that added security isn't all that effective? It only leads to people using Digest authentication without SSL for purposes when security is a concern.

Re:HTTP Digest

[jrumney]

Digest authentication isn't all that secure. All it does is keep the password from being sent over the network in cleartext. It doesn't prevent replay attacks.

Anonymous Cowards should familiarize themselves with RFC 2617 and the concept of challenge response authentication before making statements like that. A properly implemented server implementation of digest authentication does prevent replay attacks.

Re:well good. It's about time.

[Tony+Hoyle]

All the passwords are stored/transmitted as hashes.

Switching to SHA1 hashes only will break compatibility with everything earlier than XP.. which is probably what MS really want - force everyone to upgrade.

Re:MD4 and MD5 are not encryption schemes

If I had a dollar for every time someone called a hash algorithms an encryption scheme....

So what's wrong with these?

I checked and it looks like MD5 has the same problems any hashing function would. Namely that you can't take infiniti and squeeze it into a jar of fixnum bytes without more than one number between 0 and infiniti resulting in the same value for F.

Re:So what's wrong with these?

[Fahrenheit+450]

The problem is that collisions, i.e. two inputs that hash to the same value, can be found in much less time than wold be expected (a couple of hours instead of the expected couple thousand years).

And while this doesn't allow a lot of interesting attacks (though we have already seen where one can use these collisions to create two postscript documents or TIFF images that display different contents, but hash to the same value), it is still a major weakness with the algorithm that may lead to further more dangerous exploits.

Re:So what's wrong with these?

[Kevinv]

Yes, the only "solution" is to keep making the jar bigger. which is why they go with SHA256.

Re:So what's wrong with these?

[Just+Some+Guy]

Yes, the only "solution" is to keep making the jar bigger. which is why they go with SHA256.

Not even close.

The ideal hash function has an equal probability of all possible results for any given input. Let's look at a non-ideal one: h(x) = 1. Now, any input results in the same hash value. Is that email signature valid? Sure: it has the expected hash! Did that ISO come through intact? Sure: the hash matches! Wouldn't be very useful, would it? In this simplified example, returning a 1024-bit hash value would be exactly as useful as returning a 1-bit hash value.

This is why MD5 is deprecated. It's not that it returns too few bits (which it does by modern standards), but that it's been shown to not return an ideal distribution of results. SHA is closer to the ideal as far as we know today, and SHA-256 adds extra bits in addition to the improved algorithm.

Re:MD4 and MD5 are not encryption schemes

[HermanAB]

I guess 25 of those minutes were spent downloading a Linux tool to reset the password, 4 minutes to reboot the PC and the other 1 minute you were scratching your head to figure out the cryptic commands of the utility...

In other words...

[Jugalator]

Microsoft Drops Aging Encryption Schemes

In other words, Microsoft Drops AES?
Man, I'm so confused now. :-p

...

OK, you can stop throwing /tomatoe?s/ now.

Translate to Devspeak

[boatboy]

The article is in plain English. I haven't seen it on MSDN yet, but I imagine this is the gist in developer-speak:

Microsoft will be marking the DES, MD4, MD5 and SHA1 encryption provider classes obselete in upcoming versions of the .NET framework. While not completely insecure, these algorithms have documented vulnerabilities which mean they can be cracked or exploited in certain scenarios. FxCop will warn you when it finds these classes in use, and provide a suggested fix. Typically, this will simply envolve switching the provider you are using with the more secure SHA256 or AES providers.

Expired SHA

Could this been due to the patent on SHA has expired? And NSA wants to keep control of all things being crypted?

Re:MD4 and MD5 are not encryption schemes

[janus03]

Well, they are actually not that different. Any block cipher (like AES) can easily be used as a hashing algorithm (using the last block as the "digest") with fixed key/IV. It can be used as a MAC the same way by varying the key.

Hashing algorithms can as well be used as stream ciphers. Since they have the property that they are "cryptographically secure" - ie. their output could as well have been random for all you care - they can be used to create a stream of pseudo-random bytes that you can XOR your message with.

The real difference between hashing algorithms and "real" two-way encryption is efficiency! Hashing algorithms are also commonly called one-way encryption schemes.

Close the door and leave the windows open

[Ancient_Hacker]

It doesnt make much difference if they're going to use better encryption-- when the plain-text is so vulnerable to trojans, phishes, BHO's and viruses.

The Real Question: TEA in XBOX 360?

[BenJeremy]

Heh heh...

If Microsoft is kind enough to continue using TEA encryption in the Xbox 360 for the bootstrap initialization, perhaps it will not be so unhackable.

Probably not, but my personal belief is that MS would be dumb to make it unhackable, as mod chips have probably been responsible for a lot of console sales, and in turn, a lot of good word-of-mouth PR in the trenches.

Re:The Real Question: TEA in XBOX 360?

If you use enough rounds, TEA is fairly secure. Besides that hurdle is only the first of many - MS has learnt from the numerous flaws in the Xbox's security.

Running unsigned code on the 360 will almost certainly happen eventually, but it's going to be very challenging to do.

I hope they can get it right

[richg74]

I hope that Microsoft can pay more attention to implementing the cryptographic functions correctly than they have at times in the past. Bruce Schneier has a note in his Crypto-Gram newsletter for February 2005 on a flaw in MS's implementation of RC4:

One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.
...
Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. ...

He cites a paper by Hongjun Wu, as well as a report of an earlier (1999) MS crypto vulnerability.

Encryption -- hashing

[Urusai]

You can always just take your favorite symmetric key encryption algorithm and XOR successive blocks to produce a hash. This may have weaknesses for particular algorithms (IANAC).

A hashing algorithm, as we all know, is just a many-to-one function (not reversible in general). f(x)=0 is such a hash function. It exhibits disappointing collision characteristics, though. f(x)=x avoids this complication, although it is reversible. Uh oh, now Microsoft's gonna steal and patent my elite hashing algorithms.

Re:Encryption -- hashing

[swillden]

You can always just take your favorite symmetric key encryption algorithm and XOR successive blocks to produce a hash.

And you can always embed your favorite hashing algorithm in a Feistel network to create a block cipher. Not that it's a good idea.

Re:Encryption -- hashing

[SeeTheLight]

Would creating a random token, then encrypting that token to the user's password, then storing the unencrypted token outside of (or concatenated with) the encrypted data be considered "hashing" too ?

Re:Encryption -- hashing

[SeeTheLight]

or maybe it is only really a form of authentication but isn't remotely like a hash?

No, I can't believe it.

Don't tell me you're one of those promoting the ridiculously foolish "security through obscurity" approach.

Ok, let me not be so quick to judge. Work for the men in black?

Yes, AES is allowed, here is why!

[williamyf]

Also EAS was the result of a contest made by the _fine_folks_at_NIST_ (I owe a huge debt of gratitude to nist for their fine Open Source ATM network Simulator that I used in my thesis http://w3.antd.nist.gov/Hsntg/prd_atm-sim.html/).

The code that won was developed by a Belgian team, and therefore, not bounded by the restrictions, even if those restrictions were still enforced....

The press release from the _fine_folks_of_NIST_:
http://www.nist.gov/public_affairs/releases/g00-17 6.htm/

Re:Yes, AES is allowed, here is why!

[TemporalBeing]

Not necessarily. It was common for the government to take a technology from outside, allow it in, and then restrict the re-export of the same technology. Now, should the talk about export restrictions being loosened prove true, then that may not play a factor here; but just because it was developed outside the US does not mean it won't be allowed to be exported.

Furthermore, last I had heard, AES was not allowed to be exported, but I very well could be wrong.

USA Limit On Encryption

Doesn't the USA have a limit on how strong of encryption that can be exported? I remember reading at OpenBSD that they have to compile OBSD outside the USA in 6 different "free" countries because of this restriction. So would Microsoft's implementation be restricted?

in a related story...

[hobo+sapiens]

...Bank of America is no longer storing money in bed matresses in the basement of each branch. They are upgrading to mason jars which will be heavily guarded by teams of trained marmosets.

Re:in a related story...

[The+MaD+HaCkER]

Bank of America is no longer storing money in bed matresses in the basement of each branch. They are upgrading to mason jars which will be heavily guarded by teams of trained marmosets. I am the one in charge of training the marmosets! how did this vital infomation leak!! ;) The MaD HaCkER DOD

What about RC4?

[SiliconEntity]

RC4 is a stream cipher which has been on shaky ground for a long time. There are two problems with RC4. The first is that the data is not as random as it could be, at the beginning. The way RC4 works, you put in a key and then it generates a string of random bytes which you XOR with your plaintext to encrypt. But there are weaknesses in the randomness of the first part of RC4's key stream. To fix this experts recommend throwing away the first N bytes. The problem is that nobody can agree on what N should be and it keeps going up. It used to be that 256 bytes was enough, then a thousand; now they say several thousand. Such progressive weakness is a bad sign in a cipher.

The other problem is that stream ciphers in general are hard to use correctly. There have been many notorious cases of RC4 being misused. If you use the same keystream twice you get very bad results (similar to using a one time pad twice), and you can xor bits of the ciphertext and have them go straight through to the plaintext. Again and again people make these mistakes.

RC4 has probably been the cause of more security flaws than any other crypto algorithm. The most recent one (the first link above) was just this year. It is time for Microsoft to retire RC4 in new protocols and products.

I hope They Fix .Net Then

[szyzyg]

Right now you can generate SHA256 hashes, but you can't sign anything using SHA256 because it's not supported. Mono of course handles this without any problem.

Re:I hope They Fix .Net Then

[M1000]

Here I can see System.Security.Cryptography.SHA256 under .NET 2.0 Beta. So It's already there.

Re:I hope They Fix .Net Then

[M1000]

Oups, you meant for signing ;-)

You are correct, they are hashes

[jd]

You are correct, MD4 and MD5 are hashing functions. and hashing functions are one-way. Hashing is typically used within encryption - say to generate reasonable keys from pass-phrases. You could use them as an "encryption mode" (a method of using different keys per block) by hashing the prior unencrypted block and using the result as the new key.

Well, there is ONE possible exception to this. You can use hashes for error-correction. If you have enough hashes over enough slices of the data, you could actually regenerate the original dataset from just the hashes. Whether there would be any advantage in using such a method is debatable, though I suspect there may be a variant you could use where conventional error-correction codes would be unable to handle the noise levels.

As others noted, that changed

[Sycraft-fu]

Note the widespread availability of AES. While not developed by US researchers, the actual AES standard is the US government's new offical standard for symetric key encryption. It's authorized for use in both secret and top secret applications.

This was a major change in operation, as it used to be that the algorithms used for secret encryption were themselves secret.

What seems to have happened is the government has been made to realise that strong crypto exists all over the world. Thus to restrict is artifically is just to hurt US companies and intrests. Thus they are now allowing their standard to be made public.

Others have theorized that it's also because the NSA is having trouble hiring all the best mathematicians and cryptographers, and thus can't reliably evaluate crypto be themselves.

Either way, you now find AES crypto in programs from all over the world, and the government is just fine with that.

Many people think yes

[Sycraft-fu]

AES has been evaluated and weighed in on by lots of heavyweights, including major universities, the NSA, and so on. They all claim it's secure. What's more, the US government has authorized its use for encrypting secret and top secret data. Presumably they wouldn't do so if they weren't confident in its security.

Do remember that AES was around long before it became AES. It was orignally Rijndael, which was first published in 1998. True, that's not the same as DES's multi-decade legacy, but it's still a long time, and it's faced a LOT of examination and held up.

Not good for historical records...

[slashname3]

This is an example of why states are mandating use of open source solutions. Microsoft depricates these older encryption standards in their newer systems. So anything that is stored for extended periods of time will end up not being able to be recovered or read. In an open system you would most likely be able to find a package that supported those older encryption standards. With Windows you would have to find someone to write a program to decode those files for you.

No more admin for me...

[DrIdiot]

Guess that means I can't get admin passwords to the school network anymore... :(

I guess they are dropping SSL/TLS, then ... !

[madbrain]

Since both of these protocols require the use of MD5 (and SHA1) for HMAC in handshakes, regardless of which cipher suite and hash algorithm is selected to encrypt/hash the data records. See section 5 of RFC2246 (TLS) for more info.

Again Microsoft Misses the Security Boat

Not all data needs to be heavily encrypted and protected with AES and SHA256 algorithms. Microsoft is forgetting the fact that security has a time element associated with it - not every piece of data needs to be secured for a decade or two. Some data has a security shelf life measured in seconds, not years. Furthermore, they're forgetting that security is always a tradeoff - in this case particularly that between security and performance. DES MD5 may be quicker than AES SHA256. Not to mention compatibility between systems. But that's Microsoft for you - good at making our decisions for us. THANK YOU MICROSOFT!

3 DES?

[ambilio]

Does this include Triple DES?