Slashdot Mirror
Microsoft Warns Customers Away From RC4 and SHA-1
Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."
Why in gods name would a company that backdoored their entire crypto stack to the NSA worry that
some crypto code is weak?
Sig Battery depleted. Reverting to safe mode.
No more RC4? No more SHA1? Next they'll be telling me to patch against WMF exploits.
Its not just the codes used, its the US branded: OS, file systems, "bugs" and files sent.
Domestic spying is now "Benign Information Gathering"
I remember this one dude was trying to get me to encrypt all my hard drives. But dude, I said, I want to be able to read my hard drives.
Microsoft continues to make use of MD4 for password hashing in the Security Account Management part of the registry. The authors of MD4, RSA, had recommended for a long time switching to MD5 and now recommends using MD6, Other members of the security community also recommend using a stronger hash function, combining a salt string with the password and doing multiple rounds of the hash function. Microsoft has failed to do any of these recommendations.
MS-CHAPv2 also continues to be part of Microsoft's offering as well. Support for this is included in their OS for PPTP, iSCSI and 802.1x (and possibly others). As pointed out in the article, attacking MS-CHAPv2 is now as simple as cracking a single DES key.
It is nice the Microsoft is recognizing some of the advice of the security community and taking steps to phase out SHA-1 and RC4. But I have a hard time applauding Microsoft when this is just the tip of the iceberg of weak hashing functions and protocols in popular use in their software.
last thing they want is you to repudiate the evidence against you
Because the NSA doesn't like when someone else can get your files.
It slows them down.
I invented a new data encryption program called P.H.B. which stands for Pointy-Haired Boss.
It is quite obvious that people are lazy, and will not upgrade no matter what Microsoft says. We need a transparent solution that works in situ without any software upgrades, and so low-key that no one will even suspect the message is encrypted!
I am talking, of course, of Double ROT-13.
... what do we replace all our database password hash columns with now?
Because although they gave it the NSA, they still don't want the Chinese government to compromise it?
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Because... the NSA pays MS for backdoors, whereas the Russians don't?
Because... the NSA tries to stay under the radar, whereas other malware often doesn't? (ex. adware, bot-nets. Thus damaging the MS "experience".)
Because... the NSA wants to know your secrets, whereas scammers want to use your secrets? (ex. Credit card payments. Further damaging the MS "experience".)
Just a few thoughts.
Why in gods name would a company that backdoored their entire crypto stack to the NSA worry that
some crypto code is weak?
I dunno...
Why in god's name would you worry that...
your comment might not fit on readers' monitors?
"12:15 — press Return."
WTF did you just [try to] say?
There's trolling, and then there's trolling on drugs that only got invented last week. Damn dude, whatever that new stuff is, it's no good for you.
Write failed: Broken pipe
Mod parent up please, because it is the truth, wether you like it or not.
Plenty of time between now and January 2016 when MS will reject the use of SHA1. I understand that large corporations move slowly, but we have known about SHA1 shortcomings for a while now. I would like to read more about what products are affected, possible attacks in product contexts, and reasons for the long window until retirement! Even Windows 7 mainstream support will end in 2015!
Why in gods name would a company that backdoored their entire crypto stack to the NSA worry that some crypto code is weak?
Because they now have a better back door that needs to become the default.
Evidence?
Why? Because the attacks on RC4 are becoming feasible for ordinary well-organized criminals, and there might be other agencies aside form the NSA who might try brute-forcing SHA1.
The NSA is mainly a danger for business outside the US - and perhaps for Megaupload-like companies within the US for which some state prosecutor could imagine and construct some criminal copyright infringement case, although it seems that the NSA doesn't habitually help out the FBI.
I can understand RC4.
I can understand MD5.
But SHA1? right now, according to wikipedia, a full collision attack requires something like $2.77M of computing power on the cloud...
maybe a less if you have you own supercomputer, but even at $1M it sound a lot...
So why warn away from SHA1 NOW? what are we going to use? md5? md4? remember that while keccak was chosen as the SHA3, they still have to release the complete details on how it must be implemented -- number of rounds and such -- so SHA3 *NOW* is not an option.
I'll start taking microsoft seriously on this once they phase out MD4, RC4, MD5 from their existing standards and products.
"I was gratified to be able to answer promptly, and I did. I said I didn't know." -- Mark Twain
Why does the NSA want to know my secrets if they are not going to use it?
They're data-horders, and well they probably want to have all of the data "just in case" it becomes useful. *cough cough* Blackmail. And that's not getting into their deranged belief that they need the largest haystack possible.
Well, if he was trying to say...
Consider that right percent of the *BSD Be 'very poorly name on the jar of Propaganda and the future o7 the or make loud noises consider w#orthwhile
...he succeeded.
[clickety-clickety]
There you go. Plenty of evidence. Oh, you want to SEE the evidence? Well, there's this thing called FISA, that says you aren't allowed to. Because, well TERRORISM.
Fnord.
You, over there: Papers, please.
Perscriptio in manibus tabellariorum est.
We have a real problem where the PCI scanning vendors are so freaked out about BEAST attacks (where client hardening is the correct solution) that the only cipher they'll accept (server side) that's FIPS compliant and BEAST resistant is RC4.
What they should be doing instead is scoring people down for not doing ephemeral key exchange, scoring people down for not using TLS 1.2 and stop freaking out about CBC on the server side when getting rid of it is not even a thorough solution (fear of CBC is overblown, especially when compared to post-Snowden risks).
If you look at your ciphers, even if you're negotiating ephemeral ECC with Google, you're then using RC4 as your stream cipher. RC4 isn't _so_ horrible that this is a major risk, but it's a theoretical one and it might fall eventually. Ephemeral key exchange is there to prevent against future attacks on captured streams, so RC4 may not be the best pairing for that.
So, perhaps Microsoft is doing a good thing here and putting its weight behind some pressure to move past RC4.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The only evidence we seem to get these days is from leaks.
All other relevant FOIA requests are stone-walled.
They don't admit to helping the FBI. Look up 'parallel construction.'
SHA-2, more specifically its SHA256 ^2 variant, is not only used to secure messages in HMAC, but also in bitcoin for validating blocks (adding pages into the common distributed ledger), and thus also in bitcoin mining.
Given the current massive craze in bitcoin, there's been massive development around SAH256.
If SHA256 was cracked, somebody would be laughing on the way to the bank, after having mined most of the coin.
That didn't happen (current bitcoin production is still spread among the most popular mining pools, there's no single individual significantly faster than everybody else)
that's a good sign that SHA-2 won't be cracked in the near future despite how much resources the NSA, FSB and Co put at it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Git is a great system, but it relies on SHA1. If SHA1 has feasible attacks, is git going to stay on SHA1 or will it move to something more secure? Can it even do so without breaking compatibility?
Dangerous, sexy, turing complete: Femme Bots
RC4 is NOT FIPS compliant. Never has been. RSA has never published a spec for RC4. The code just showed up one day on a mailing list from an anonymous source.
There's been one of these attached to a number of articles lately. This one didn't include the word "gay" for some reason though...
Lately MS is damaging the "MS experience" WAY more than any hacker could do.
They no longer deny helping the FBI, DEA, ATF, and county sheriffs.
Sig Battery depleted. Reverting to safe mode.
Because Microsoft doesn't deliberately open back doors for free.
"This is weak against one party, why not keep it weak against ALL parties?"
Perfectly sound logic.
[for BEAST] client hardening is the correct solution
Indeed. TLSv1.1 is not vulnerable, and most browsers that are still limited to TLSv1.0 are able to use the 1/n-1 split workaround to BEAST (notable exception is Safari on MacOS up to X.8). The right approach would be to detect TLSv1.0 clients that do not use 1/n-1 split and deny them access before they exchange anything sensible.