Microsoft Drops Aging Encryption Schemes

christchurch wrote to mention an Eweek column about Microsoft's decision to stop using DES, MD4, and MD5 for encryption in Vista. From the article: "All three algorithms show signs of 'extreme weakness' and have been banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said. The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit."

ROT13

Presumably they haven't banned ROT13 then.

Re:ROT13

[wertarbyte]

Funny enough, IIRC Outlook Express is still not able to encrypt messages with ROT13. It just has the ability to decode them.

Re:ROT13

It wasn't banned for XP. Check out HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist to see for yourself.

is MD4/5 really encryption ?

i thought they where just one way hashing algos

Re:is MD4/5 really encryption ?

[iamplasma]

Well, it is true that they're hashes, not encryption methods but they can be used in a quasi-encryption manner. In particular, when it comes to hashing passwords to store an "encrypted" password, it is to a large extent the same as trying to break a known encrypted document where the key is the password. In fact, that's exactly how older unices store passwords, DES encrypting a blank document with the password as a key. So while it's true that MD5 isn't an encryption method, for the purposes of password authentication is it practically identical.

Re:is MD4/5 really encryption ?

Actually, MD5 can be (ab)used to act as a stream ciper. Roughly, MD5 can generate a pseudo-random stream of bits, by running it in a feedback loop primed with a secret key. This stream is then XORed with the data to provide encryption. The receoved uses the same feedback loop with the same key to XOR the ciphertext with the stream to recover the plaintext.

Cisco TACACS+ is an example where MD5 encrypts a session.

Re:is MD4/5 really encryption ?

[MoogMan]

No. no. no. Encryption is reversible. Hashing is not. These are definitions, please stick to them. Encryption != Hashing. Once again, for brevity (as lots of people get this wrong): Hashing is NOT Encryption.

There is some correctness in your comment, however: Authentication. Hashing is indeed for Authentication (Is someone who they say they are?). Encryption is for keeping data confidential (I only want foo and bar to be able to read this). Please do not mix these up!

Re:is MD4/5 really encryption ?

" That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt."

Not quite.

Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.

It does not provide any confidentiality - but it's not supposed to, it is supposed to provide Integrity and message origin authentication.

This is the corner stone of digital signatures.

Re:is MD4/5 really encryption ?

[owlstead]

The parent had things completely right for RSA. You are trying to put things out of context.

You would not use RSA & private key encryption for message authenticity. But that's something different.

Besides that, almost any cryptographic algorithm depends on a specific scheme or protocol (padding/hashing etc) to protect against crypto-analyses. Nowhere is said that the parent of your post was refering to "plain-vanilla" RSA either. That's like saying that if you talk about AES, you are being foolish, since you have to use CBC instead of ECB to be secure. Yeah, well, duh!

Re:is MD4/5 really encryption ?

[jafac]

So - then it doesn't matter if the hash algorithm is breakable? Since the hash gets encrypted? Or can the "broken" hash be used as a shortcut to attack the encryption?

Teamwork

[Ruie]

The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit

As opposed to the quarterly update by managers ?

one down, one to go

[cryptoz]

Even if Vista and related products use higher encryption, Windows' obsessive temp file creation, along with swap files, seems to minimize the effect that using encryption has, right?

I mean, sure, it'll be much harder to brute force any MS encryption now, but did people do it that way before? Weren't there always other workarounds that will still be present?

Re:one down, one to go

[KiloByte]

This change has nothing to do with security.
It's all about buzzword-compliancy. It's managers who decide on a company's spending; the managers read overhyped news about "SHA1 getting broken" while the only thing the recent papers provided was a very expensive method to brute-force a hash collision -- [b]any[/b] collision, not a message that matches a given hash. In the managers' minds, those encryption algorithms are worthless now -- and it's a very well-known fact that managers never accept being corrected by those who know better.

This policy is just like getting a million dollar certified oxygen tank and then securing it with a clothesline peg. Who cares that the end result is flaky, if you can claim that you used the best tank available!?

Re:one down, one to go

[amodm]

Add to it the fact that they didn't use to clear off the clear text passwd (as entered by user) from the memory.

As a result of this, people could easily do a memory scan of lsass.exe to get the passwds of last few users who had logged on.

See http://www.cr0.net:8040/misc/cachedump.html

Re:one down, one to go

[RealityMogul]

I wonder if they're still going to support the LANMAN hashes in Vista. Nothing is quite as smart as storing the easily cracked hash right next to the more secure one.

Re:one down, one to go

[amodm]

While I agree with your "securing a million dollar tank with a clothesline peg" statement, the actual discard of the older algos might make a lot of sense from a decision making perspective.

This is going to be a major (debatable) release for Microsoft after a long long time. Typically the time gap between major releases is huge for microsoft. In this time gap, all kinds of new attacks against crypto algos are discovered (http://it.slashdot.org/article.pl?sid=05/08/18/22 47245&tid=93&tid=172).

If they don't drop the old algos, they are basically promising support for them for that major gap of time, in which it can become quite vulnerable. By choosing the latest (plus highly verified world over) algos, they are at least trying to be in a safe position (which of course can be compromised by other ways, but thats not the point i'm making here).

From a management perspective, it makes good sense to discard the old algos.

Re:one down, one to go

[cpeikert]

As far as I am aware, predicting a md5 collision has not been done.

I don't know what you mean by "predicting," but yes, concrete MD5 collisions exist. I.e., two files, with different contents, that have the same MD5 hash (and the same size, to boot). They are printed in the paper that first announced the MD5 break. Further work has shown that additional collisions can be generated at will in minutes on a common laptop computer.

Re:one down, one to go

[Fahrenheit+450]

I was going to mod you Overrated, but I decided to post instead.

This is not about buzzword compliance. The three algorithms that they are banning should have been done away with years ago. DES has been fairly easily crackable via burute force for nearly a decade now, and MD4 has had issues for just about as long. And now that collisions can be found for MD4 essentially by hand, it shouldn't be used for anything of any importance.

Hell, even NIST is recommending that people start figuring out ways to phase out their use of SHA-1, which is still practically secure, but starting to show cracks. And if there ever was an orginization free of buzzwords, it's NIST (I dare you to read some of their FIPS documents without passing out).

This is a good move that nedeed to be done. It's a step in the right direction -- now they need to get on with shoring up the other holes in their codebase.

affects hardware upgrade cycles?

[qwertphobia]

Great... yet another reason to upgrade hardware when planning for a Vista install.

Gotta add more cycles to the those brute-force attack teams!

Automated checking

[LiquidCoooled]

Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

C:\ > make windows.vista
ERROR: Insecure code found.
Please upgrade code to Linux.

Re:Automated checking

[jmulvey]

I totally agree. Compare Microsoft's reaction to security problems with what has happened in the *nix world with NFS and NIS.

NIS is the biggest, steamiest pile of insecurity ever conceived... and NFS is built right on top of it. But nobody every screams and yells on slashdot about how insecure it is... I guess because it was developed by people who didn't work for the "evil empire".

Allowed by US Gov?

[guruevi]

Is that even allowed by US Gov. to export that to other countries? I thought that there was a limit of encryption and everything above ...bits was banned from exporting (remembering 56-bits encryption Windows NT).

Re:Allowed by US Gov?

[Xiph]

well, if the people writing the encryption are in china, they're not exporting it but importing it.
which is yet another reason to offshore if you're multinational.

so imposing an export ban on software is kinda hard. seeing as it's hard to determine where it originates, without accessing the machines it was made on, - even that can be faked.

Re:Allowed by US Gov?

[Antique+Geekmeister]

It's more complex than that. There used to be a regulation in the US Customs department that forbade exporting encryption tools, classifying them as a "munition" or material of war. The result was that OS vendors would put the encryption tools on a separate tape or CD, to be shipped only if you swore on a stack of Constitutions that you were allowed to receive it. For years, the only way to be sure of getting your copy of PGP source code was to download it from Finland, which had no such silly laws.

This got fought in court for years, and was eventually ruled unconstitutional, so the regulation was immediately transferred to the Commerce department, where it is fighting its way through the courts !!!again!!!. In the meantime, the departments involved have relented enough to permit big corporate campaign contributors, like Microsoft and the other OS vendors, to include basic encryption capabilities.

But the US government still would strongly prefer that all such tools have some form of backdoor. That's why they developed the Clipper chip for use in cell phones, which was dropped when it turned out to work well but could be reprogrammed with a genuinely private key with a bit of work, and why the "Trusted Computing" initiative by Microsoft and their peers keeps the master encryption keys in the hands of "authorized distributors", mostly Microsoft. This means you can't use the Trusted Computing chips without someone signing off on your keys because the system won't accept unsigned keys, and that means handing over money to buy a key and identifying yourself so that law enforcement can find you if your key turns up anywhere they don't like it. It also gives a convenient central location to serve with a subpoena to get your keys, without your ever being notified of the subpoena.

Various computer companies are willing to accept the centralized key and subpoena burdens in order to actually get robust encryption and authentication for their tools, but we need to be aware of the little details and their potential for abuse. Trusted Computing won't change the US regulations, but since they're regulations and not law, it's easy for the government to turn a blind eye at its own whim to its export, especially to prevent the general use of more robust or subpoena-safe encryption.

Re:Allowed by US Gov?

[swillden]

I thought that there was a limit of encryption and everything above ...bits was banned from exporting

That has changed. Back in the days of Windows NT 4, cryptographic algorithms were classified as munitions under ITAR. In the late 90s the law was changed, removing this classification. These days, there are still some export controls on crypto, but it's fairly easy to get a permit to export anything that uses a standard, well-known algorithm, pretty much independent of key size.

The real reason...

[bigtallmofo]

DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which are "way too complicated to understand," said Michael Howard, senior security program manager at the company. "Instead, our R&D lab is doing great things with sophisticated XOR encryption that should be enough security for just about anyone."

Re:The real reason...

[frankthechicken]

I actually think the real reason could be pure marketing.

Windows no longer uses the insecure encryption that certain other OS' use, upgrade your security now, upgrade to Vista.

A classic quote to appeal to the PHB's and their ilk.

Re:The real reason...

[scruffy]

In addition, Microsoft doesn't hold any patents on those algorithms, and they have open specifications.

improving encryption

[myukew]

this post is rot13 encrypted. twice. to improve security.

I'm not sure but....

[amodm]

wasn't NTLM slightly based on/uses DES ? If thats the case, then does it mean that they are changing the algo used in SAM too ?

Re:I'm not sure but....

[leuk_he]

Yep, what means you have to upgrade to an supported OS to be able to connect vista? Since win2000 is not supoorted they won't be upgraded and they cannot connect to vista.

Upgrade in the name of security!

Of you can go deep down in vista and enable an option for OLD/depreciated NTLM supported, giving you much popups about that your OS not being safe WARNIGN WARNING WARNING.!

Comment removed

[account_deleted]

Comment removed based on user account deletion

So LM hashes are out! Yay!

If this is true then LM hashes, which use DES, are on their way out finally. It's going to break some backwards compatibility, but it will go a long way in fixing some of the most obvious, http://www.antsight.com/zsl/rainbowcrack/, privelage escalation problems.

well good. It's about time.

[dAzED1]

Anyone that disagrees that removing these "encryption" methods is bad, is obviously just a troll. /sarcasm

Ok, question: what does Windows use hashes for, other than the updater (if even that)? Can't the updater just change what it supports, and leave the other hash tools alone?

How about some real security enhancements, Gates?

Doh ...

[BlueTrin]

Anyway they can use whichever algorithm they want ... bad implementation/planning is the cause of their security holes.

Soon in Vista, 120xDES and AES implemented as default algorithms but windows media player will run any command sent remotely ...

Alte4rnative encyrption schemes available..

[Rob+T+Firefly]

Microsoft has promised additional encryption schemes for power users, including ig-pay atin-lay, leaving out every third word, and Navajo code talkers.

Re:Alte4rnative encyrption schemes available..

[Rob+T+Firefly]

Not yet, I'm currently devoting all my clock cycles to elderly Italian relatives' hand signals.

Firefox already supports AES/256

[Bert64]

Firefox and other mozilla based browsers already support 256-bit AES encryption for ssl websites, as does apache..
On the other hand, IIS and IE support nothing stronger than 128-bit RC4.. so be dropping RC4 they will lose compatibility with older versions of their own products, but maintain compatibility with their competitors.

AES & SHA256 are young

[mjh]

These are newcomers. Shouldn't that give us some pause as to how much we should rely on them? Yes they've been well studied. But compare AES with DES. It's been around forever and the only weakness that we know of is keylength. Do we really have enough exposure to the "new guys" to put confidence in them to switch everything to them?

Re:AES & SHA256 are young

[Thuktun]

There's already a crack for AES.. check the archives.

I wouldn't call it a crack, more of a theoretical vulnerability. When the attack's complexity exceeds the number of atoms in the universe, it doesn't seem much like a "crack".

Will this help the security of Vista?

[hritcu]

Well ... I know that these criptography standards are begining to be dated, and it is very likely that we will see more successful brute force atacks on them in the following years. However, I wonder if changing them will have a noticeable positive effect on the security of Vista. How many of the many exploitable holes in Windows XP are due to bad criptography, and how many are due to bad design and policies?

HTTP Digest

[hey]

MD5 is used in the HTTP digest authenticattion.
I hope they'll still support that!

Re:HTTP Digest

[HermanAB]

Only flagged in new code.

Presumably MS hasn't changed that part of IE since version 1 and it will stay that way.

Re:HTTP Digest

[multipartmixed]

(Putting on pointy-hair wig)

MD5 is deprecated, but every web server still supports basic authentication, which uses Base64. Hmm.

64 is much bigger than 5, so it must be better.

Yup. No more digest authentication, only basic will be supported! Another security problem averted; quick: call the press!

So what's wrong with these?

I checked and it looks like MD5 has the same problems any hashing function would. Namely that you can't take infiniti and squeeze it into a jar of fixnum bytes without more than one number between 0 and infiniti resulting in the same value for F.

Translate to Devspeak

[boatboy]

The article is in plain English. I haven't seen it on MSDN yet, but I imagine this is the gist in developer-speak:

Microsoft will be marking the DES, MD4, MD5 and SHA1 encryption provider classes obselete in upcoming versions of the .NET framework. While not completely insecure, these algorithms have documented vulnerabilities which mean they can be cracked or exploited in certain scenarios. FxCop will warn you when it finds these classes in use, and provide a suggested fix. Typically, this will simply envolve switching the provider you are using with the more secure SHA256 or AES providers.

Re:What about linux?

[flithm]

This has already been done.

In case you're curious here's some info on the redhat mailing list about it.

Note that this message is from 2003, but still not a lot has been done.

It is possible though... you can check if your system uses md5 or blowfish by looking in /etc/shadow. If the passwords start with $1$ that means it's MD5, if it says $2$ that's blowfish.

Expired SHA

Could this been due to the patent on SHA has expired? And NSA wants to keep control of all things being crypted?

Re:MD4 and MD5 are not encryption schemes

[janus03]

Well, they are actually not that different. Any block cipher (like AES) can easily be used as a hashing algorithm (using the last block as the "digest") with fixed key/IV. It can be used as a MAC the same way by varying the key.

Hashing algorithms can as well be used as stream ciphers. Since they have the property that they are "cryptographically secure" - ie. their output could as well have been random for all you care - they can be used to create a stream of pseudo-random bytes that you can XOR your message with.

The real difference between hashing algorithms and "real" two-way encryption is efficiency! Hashing algorithms are also commonly called one-way encryption schemes.

I hope they can get it right

[richg74]

I hope that Microsoft can pay more attention to implementing the cryptographic functions correctly than they have at times in the past. Bruce Schneier has a note in his Crypto-Gram newsletter for February 2005 on a flaw in MS's implementation of RC4:

One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.
...
Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. ...

He cites a paper by Hongjun Wu, as well as a report of an earlier (1999) MS crypto vulnerability.

Encryption -- hashing

[Urusai]

You can always just take your favorite symmetric key encryption algorithm and XOR successive blocks to produce a hash. This may have weaknesses for particular algorithms (IANAC).

A hashing algorithm, as we all know, is just a many-to-one function (not reversible in general). f(x)=0 is such a hash function. It exhibits disappointing collision characteristics, though. f(x)=x avoids this complication, although it is reversible. Uh oh, now Microsoft's gonna steal and patent my elite hashing algorithms.

I hope They Fix .Net Then

[szyzyg]

Right now you can generate SHA256 hashes, but you can't sign anything using SHA256 because it's not supported. Mono of course handles this without any problem.