Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Drops Aging Encryption Schemes

Posted by Zonk on from the updating-their-friends-list dept.

christchurch wrote to mention an Eweek column about Microsoft's decision to stop using DES, MD4, and MD5 for encryption in Vista. From the article: "All three algorithms show signs of 'extreme weakness' and have been banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said. The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit."

31 of 199 comments (clear)

  1. ROT13 by Anonymous Coward · · Score: 5, Funny

    Presumably they haven't banned ROT13 then.

    1. Re:ROT13 by wertarbyte · · Score: 4, Funny

      Funny enough, IIRC Outlook Express is still not able to encrypt messages with ROT13. It just has the ability to decode them.

      --
      Life is just nature's way of keeping meat fresh.
    2. Re:ROT13 by Anonymous Coward · · Score: 5, Interesting

      It wasn't banned for XP. Check out HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist to see for yourself.

  2. is MD4/5 really encryption ? by Anonymous Coward · · Score: 5, Insightful


    i thought they where just one way hashing algos

    1. Re:is MD4/5 really encryption ? by iamplasma · · Score: 5, Informative

      Well, it is true that they're hashes, not encryption methods but they can be used in a quasi-encryption manner. In particular, when it comes to hashing passwords to store an "encrypted" password, it is to a large extent the same as trying to break a known encrypted document where the key is the password. In fact, that's exactly how older unices store passwords, DES encrypting a blank document with the password as a key. So while it's true that MD5 isn't an encryption method, for the purposes of password authentication is it practically identical.

    2. Re:is MD4/5 really encryption ? by MoogMan · · Score: 4, Informative

      No. no. no. Encryption is reversible. Hashing is not. These are definitions, please stick to them. Encryption != Hashing. Once again, for brevity (as lots of people get this wrong): Hashing is NOT Encryption.

      There is some correctness in your comment, however: Authentication. Hashing is indeed for Authentication (Is someone who they say they are?). Encryption is for keeping data confidential (I only want foo and bar to be able to read this). Please do not mix these up!

    3. Re:is MD4/5 really encryption ? by Anonymous Coward · · Score: 5, Informative

      " That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt."

      Not quite.

      Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.

      It does not provide any confidentiality - but it's not supposed to, it is supposed to provide Integrity and message origin authentication.

      This is the corner stone of digital signatures.

  3. one down, one to go by cryptoz · · Score: 5, Insightful

    Even if Vista and related products use higher encryption, Windows' obsessive temp file creation, along with swap files, seems to minimize the effect that using encryption has, right?

    I mean, sure, it'll be much harder to brute force any MS encryption now, but did people do it that way before? Weren't there always other workarounds that will still be present?

    1. Re:one down, one to go by amodm · · Score: 4, Informative

      Add to it the fact that they didn't use to clear off the clear text passwd (as entered by user) from the memory.

      As a result of this, people could easily do a memory scan of lsass.exe to get the passwds of last few users who had logged on.

      See http://www.cr0.net:8040/misc/cachedump.html

    2. Re:one down, one to go by RealityMogul · · Score: 4, Insightful

      I wonder if they're still going to support the LANMAN hashes in Vista. Nothing is quite as smart as storing the easily cracked hash right next to the more secure one.

    3. Re:one down, one to go by Fahrenheit+450 · · Score: 4, Insightful

      I was going to mod you Overrated, but I decided to post instead.

      This is not about buzzword compliance. The three algorithms that they are banning should have been done away with years ago. DES has been fairly easily crackable via burute force for nearly a decade now, and MD4 has had issues for just about as long. And now that collisions can be found for MD4 essentially by hand, it shouldn't be used for anything of any importance.

      Hell, even NIST is recommending that people start figuring out ways to phase out their use of SHA-1, which is still practically secure, but starting to show cracks. And if there ever was an orginization free of buzzwords, it's NIST (I dare you to read some of their FIPS documents without passing out).

      This is a good move that nedeed to be done. It's a step in the right direction -- now they need to get on with shoring up the other holes in their codebase.

      --
      -30-
  4. Automated checking by LiquidCoooled · · Score: 5, Funny

    Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

    C:\ > make windows.vista
    ERROR: Insecure code found.
    Please upgrade code to Linux.

    --
    liqbase :: faster than paper
    1. Re:Automated checking by jmulvey · · Score: 3, Insightful

      I totally agree. Compare Microsoft's reaction to security problems with what has happened in the *nix world with NFS and NIS.

      NIS is the biggest, steamiest pile of insecurity ever conceived... and NFS is built right on top of it. But nobody every screams and yells on slashdot about how insecure it is... I guess because it was developed by people who didn't work for the "evil empire".

  5. Allowed by US Gov? by guruevi · · Score: 4, Interesting

    Is that even allowed by US Gov. to export that to other countries? I thought that there was a limit of encryption and everything above ...bits was banned from exporting (remembering 56-bits encryption Windows NT).

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Allowed by US Gov? by Antique+Geekmeister · · Score: 4, Informative

      It's more complex than that. There used to be a regulation in the US Customs department that forbade exporting encryption tools, classifying them as a "munition" or material of war. The result was that OS vendors would put the encryption tools on a separate tape or CD, to be shipped only if you swore on a stack of Constitutions that you were allowed to receive it. For years, the only way to be sure of getting your copy of PGP source code was to download it from Finland, which had no such silly laws.

      This got fought in court for years, and was eventually ruled unconstitutional, so the regulation was immediately transferred to the Commerce department, where it is fighting its way through the courts !!!again!!!. In the meantime, the departments involved have relented enough to permit big corporate campaign contributors, like Microsoft and the other OS vendors, to include basic encryption capabilities.

      But the US government still would strongly prefer that all such tools have some form of backdoor. That's why they developed the Clipper chip for use in cell phones, which was dropped when it turned out to work well but could be reprogrammed with a genuinely private key with a bit of work, and why the "Trusted Computing" initiative by Microsoft and their peers keeps the master encryption keys in the hands of "authorized distributors", mostly Microsoft. This means you can't use the Trusted Computing chips without someone signing off on your keys because the system won't accept unsigned keys, and that means handing over money to buy a key and identifying yourself so that law enforcement can find you if your key turns up anywhere they don't like it. It also gives a convenient central location to serve with a subpoena to get your keys, without your ever being notified of the subpoena.

      Various computer companies are willing to accept the centralized key and subpoena burdens in order to actually get robust encryption and authentication for their tools, but we need to be aware of the little details and their potential for abuse. Trusted Computing won't change the US regulations, but since they're regulations and not law, it's easy for the government to turn a blind eye at its own whim to its export, especially to prevent the general use of more robust or subpoena-safe encryption.

    2. Re:Allowed by US Gov? by swillden · · Score: 5, Informative

      I thought that there was a limit of encryption and everything above ...bits was banned from exporting

      That has changed. Back in the days of Windows NT 4, cryptographic algorithms were classified as munitions under ITAR. In the late 90s the law was changed, removing this classification. These days, there are still some export controls on crypto, but it's fairly easy to get a permit to export anything that uses a standard, well-known algorithm, pretty much independent of key size.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. The real reason... by bigtallmofo · · Score: 4, Funny

    DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which are "way too complicated to understand," said Michael Howard, senior security program manager at the company. "Instead, our R&D lab is doing great things with sophisticated XOR encryption that should be enough security for just about anyone."

    --
    I'm a big tall mofo.
    1. Re:The real reason... by frankthechicken · · Score: 3, Interesting

      I actually think the real reason could be pure marketing.

      Windows no longer uses the insecure encryption that certain other OS' use, upgrade your security now, upgrade to Vista.

      A classic quote to appeal to the PHB's and their ilk.

    2. Re:The real reason... by scruffy · · Score: 4, Insightful

      In addition, Microsoft doesn't hold any patents on those algorithms, and they have open specifications.

  7. improving encryption by myukew · · Score: 4, Funny

    this post is rot13 encrypted. twice. to improve security.

    --
    See pictures of tits
  8. I'm not sure but.... by amodm · · Score: 5, Interesting

    wasn't NTLM slightly based on/uses DES ? If thats the case, then does it mean that they are changing the algo used in SAM too ?

    1. Re:I'm not sure but.... by leuk_he · · Score: 5, Insightful

      Yep, what means you have to upgrade to an supported OS to be able to connect vista? Since win2000 is not supoorted they won't be upgraded and they cannot connect to vista.

      Upgrade in the name of security!

      Of you can go deep down in vista and enable an option for OLD/depreciated NTLM supported, giving you much popups about that your OS not being safe WARNIGN WARNING WARNING.!

  9. So LM hashes are out! Yay! by Anonymous Coward · · Score: 3, Insightful

    If this is true then LM hashes, which use DES, are on their way out finally. It's going to break some backwards compatibility, but it will go a long way in fixing some of the most obvious, http://www.antsight.com/zsl/rainbowcrack/, privelage escalation problems.

  10. well good. It's about time. by dAzED1 · · Score: 3, Interesting

    Anyone that disagrees that removing these "encryption" methods is bad, is obviously just a troll. /sarcasm

    Ok, question: what does Windows use hashes for, other than the updater (if even that)? Can't the updater just change what it supports, and leave the other hash tools alone?

    How about some real security enhancements, Gates?

  11. Doh ... by BlueTrin · · Score: 3, Interesting

    Anyway they can use whichever algorithm they want ... bad implementation/planning is the cause of their security holes.

    Soon in Vista, 120xDES and AES implemented as default algorithms but windows media player will run any command sent remotely ...

    --
    Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
  12. Alte4rnative encyrption schemes available.. by Rob+T+Firefly · · Score: 5, Funny

    Microsoft has promised additional encryption schemes for power users, including ig-pay atin-lay, leaving out every third word, and Navajo code talkers.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  13. AES & SHA256 are young by mjh · · Score: 3, Interesting

    These are newcomers. Shouldn't that give us some pause as to how much we should rely on them? Yes they've been well studied. But compare AES with DES. It's been around forever and the only weakness that we know of is keylength. Do we really have enough exposure to the "new guys" to put confidence in them to switch everything to them?

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
    1. Re:AES & SHA256 are young by Thuktun · · Score: 4, Insightful

      There's already a crack for AES.. check the archives.

      I wouldn't call it a crack, more of a theoretical vulnerability. When the attack's complexity exceeds the number of atoms in the universe, it doesn't seem much like a "crack".

  14. HTTP Digest by hey · · Score: 4, Interesting

    MD5 is used in the HTTP digest authenticattion.
    I hope they'll still support that!

  15. Re:What about linux? by flithm · · Score: 4, Informative

    This has already been done.

    In case you're curious here's some info on the redhat mailing list about it.

    Note that this message is from 2003, but still not a lot has been done.

    It is possible though... you can check if your system uses md5 or blowfish by looking in /etc/shadow. If the passwords start with $1$ that means it's MD5, if it says $2$ that's blowfish.

  16. I hope they can get it right by richg74 · · Score: 4, Informative
    I hope that Microsoft can pay more attention to implementing the cryptographic functions correctly than they have at times in the past. Bruce Schneier has a note in his Crypto-Gram newsletter for February 2005 on a flaw in MS's implementation of RC4:
    One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.
    ...
    Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. ...
    He cites a paper by Hongjun Wu, as well as a report of an earlier (1999) MS crypto vulnerability.