Microsoft Drops Aging Encryption Schemes

christchurch wrote to mention an Eweek column about Microsoft's decision to stop using DES, MD4, and MD5 for encryption in Vista. From the article: "All three algorithms show signs of 'extreme weakness' and have been banned, Howard said. Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said. The change is part of a semi-yearly update to Microsoft's Secure Development Lifecycle policies by engineers within Microsoft's Security Business & Technology Unit."

ROT13

Presumably they haven't banned ROT13 then.

Re:ROT13

[wertarbyte]

Funny enough, IIRC Outlook Express is still not able to encrypt messages with ROT13. It just has the ability to decode them.

Re:ROT13

It wasn't banned for XP. Check out HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist to see for yourself.

is MD4/5 really encryption ?

i thought they where just one way hashing algos

Re:is MD4/5 really encryption ?

[iamplasma]

Well, it is true that they're hashes, not encryption methods but they can be used in a quasi-encryption manner. In particular, when it comes to hashing passwords to store an "encrypted" password, it is to a large extent the same as trying to break a known encrypted document where the key is the password. In fact, that's exactly how older unices store passwords, DES encrypting a blank document with the password as a key. So while it's true that MD5 isn't an encryption method, for the purposes of password authentication is it practically identical.

Re:is MD4/5 really encryption ?

[MoogMan]

No. no. no. Encryption is reversible. Hashing is not. These are definitions, please stick to them. Encryption != Hashing. Once again, for brevity (as lots of people get this wrong): Hashing is NOT Encryption.

There is some correctness in your comment, however: Authentication. Hashing is indeed for Authentication (Is someone who they say they are?). Encryption is for keeping data confidential (I only want foo and bar to be able to read this). Please do not mix these up!

Re:is MD4/5 really encryption ?

" That doesn't sound right to me. The whole point of keypair encryption is that anyone with the public key can encrypt, but only the people with the private key can decrypt."

Not quite.

Whilst it is true that any data encrypted with a public key can be decrypted only with a private key, the converse is also true. Any data encrypted with a private key can be decrypted only with the public key. This means that whoever encrypted it must have had access to the private key and thus it gives confidence in where it originated.

It does not provide any confidentiality - but it's not supposed to, it is supposed to provide Integrity and message origin authentication.

This is the corner stone of digital signatures.

one down, one to go

[cryptoz]

Even if Vista and related products use higher encryption, Windows' obsessive temp file creation, along with swap files, seems to minimize the effect that using encryption has, right?

I mean, sure, it'll be much harder to brute force any MS encryption now, but did people do it that way before? Weren't there always other workarounds that will still be present?

Re:one down, one to go

[amodm]

Add to it the fact that they didn't use to clear off the clear text passwd (as entered by user) from the memory.

As a result of this, people could easily do a memory scan of lsass.exe to get the passwds of last few users who had logged on.

See http://www.cr0.net:8040/misc/cachedump.html

Re:one down, one to go

[RealityMogul]

I wonder if they're still going to support the LANMAN hashes in Vista. Nothing is quite as smart as storing the easily cracked hash right next to the more secure one.

Re:one down, one to go

[Fahrenheit+450]

I was going to mod you Overrated, but I decided to post instead.

This is not about buzzword compliance. The three algorithms that they are banning should have been done away with years ago. DES has been fairly easily crackable via burute force for nearly a decade now, and MD4 has had issues for just about as long. And now that collisions can be found for MD4 essentially by hand, it shouldn't be used for anything of any importance.

Hell, even NIST is recommending that people start figuring out ways to phase out their use of SHA-1, which is still practically secure, but starting to show cracks. And if there ever was an orginization free of buzzwords, it's NIST (I dare you to read some of their FIPS documents without passing out).

This is a good move that nedeed to be done. It's a step in the right direction -- now they need to get on with shoring up the other holes in their codebase.

Automated checking

[LiquidCoooled]

Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

C:\ > make windows.vista
ERROR: Insecure code found.
Please upgrade code to Linux.

Allowed by US Gov?

[guruevi]

Is that even allowed by US Gov. to export that to other countries? I thought that there was a limit of encryption and everything above ...bits was banned from exporting (remembering 56-bits encryption Windows NT).

Re:Allowed by US Gov?

[Antique+Geekmeister]

It's more complex than that. There used to be a regulation in the US Customs department that forbade exporting encryption tools, classifying them as a "munition" or material of war. The result was that OS vendors would put the encryption tools on a separate tape or CD, to be shipped only if you swore on a stack of Constitutions that you were allowed to receive it. For years, the only way to be sure of getting your copy of PGP source code was to download it from Finland, which had no such silly laws.

This got fought in court for years, and was eventually ruled unconstitutional, so the regulation was immediately transferred to the Commerce department, where it is fighting its way through the courts !!!again!!!. In the meantime, the departments involved have relented enough to permit big corporate campaign contributors, like Microsoft and the other OS vendors, to include basic encryption capabilities.

But the US government still would strongly prefer that all such tools have some form of backdoor. That's why they developed the Clipper chip for use in cell phones, which was dropped when it turned out to work well but could be reprogrammed with a genuinely private key with a bit of work, and why the "Trusted Computing" initiative by Microsoft and their peers keeps the master encryption keys in the hands of "authorized distributors", mostly Microsoft. This means you can't use the Trusted Computing chips without someone signing off on your keys because the system won't accept unsigned keys, and that means handing over money to buy a key and identifying yourself so that law enforcement can find you if your key turns up anywhere they don't like it. It also gives a convenient central location to serve with a subpoena to get your keys, without your ever being notified of the subpoena.

Various computer companies are willing to accept the centralized key and subpoena burdens in order to actually get robust encryption and authentication for their tools, but we need to be aware of the little details and their potential for abuse. Trusted Computing won't change the US regulations, but since they're regulations and not law, it's easy for the government to turn a blind eye at its own whim to its export, especially to prevent the general use of more robust or subpoena-safe encryption.

Re:Allowed by US Gov?

[swillden]

I thought that there was a limit of encryption and everything above ...bits was banned from exporting

That has changed. Back in the days of Windows NT 4, cryptographic algorithms were classified as munitions under ITAR. In the late 90s the law was changed, removing this classification. These days, there are still some export controls on crypto, but it's fairly easy to get a permit to export anything that uses a standard, well-known algorithm, pretty much independent of key size.

The real reason...

[bigtallmofo]

DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which are "way too complicated to understand," said Michael Howard, senior security program manager at the company. "Instead, our R&D lab is doing great things with sophisticated XOR encryption that should be enough security for just about anyone."

Re:The real reason...

[scruffy]

In addition, Microsoft doesn't hold any patents on those algorithms, and they have open specifications.

improving encryption

[myukew]

this post is rot13 encrypted. twice. to improve security.

I'm not sure but....

[amodm]

wasn't NTLM slightly based on/uses DES ? If thats the case, then does it mean that they are changing the algo used in SAM too ?

Re:I'm not sure but....

[leuk_he]

Yep, what means you have to upgrade to an supported OS to be able to connect vista? Since win2000 is not supoorted they won't be upgraded and they cannot connect to vista.

Upgrade in the name of security!

Of you can go deep down in vista and enable an option for OLD/depreciated NTLM supported, giving you much popups about that your OS not being safe WARNIGN WARNING WARNING.!

Alte4rnative encyrption schemes available..

[Rob+T+Firefly]

Microsoft has promised additional encryption schemes for power users, including ig-pay atin-lay, leaving out every third word, and Navajo code talkers.

HTTP Digest

[hey]

MD5 is used in the HTTP digest authenticattion.
I hope they'll still support that!

Re:AES & SHA256 are young

[Thuktun]

There's already a crack for AES.. check the archives.

I wouldn't call it a crack, more of a theoretical vulnerability. When the attack's complexity exceeds the number of atoms in the universe, it doesn't seem much like a "crack".

Re:What about linux?

[flithm]

This has already been done.

In case you're curious here's some info on the redhat mailing list about it.

Note that this message is from 2003, but still not a lot has been done.

It is possible though... you can check if your system uses md5 or blowfish by looking in /etc/shadow. If the passwords start with $1$ that means it's MD5, if it says $2$ that's blowfish.

I hope they can get it right

[richg74]

I hope that Microsoft can pay more attention to implementing the cryptographic functions correctly than they have at times in the past. Bruce Schneier has a note in his Crypto-Gram newsletter for February 2005 on a flaw in MS's implementation of RC4:

One of the most important rules of stream ciphers is to never use the same keystream to encrypt two different documents. If someone does, you can break the encryption by XORing the two ciphertext streams together. The keystream drops out, and you end up with plaintext XORed with plaintext -- and you can easily recover the two plaintexts using letter frequency analysis and other basic techniques.
...
Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. ...

He cites a paper by Hongjun Wu, as well as a report of an earlier (1999) MS crypto vulnerability.