Microsoft Warns Customers Away From RC4 and SHA-1

← Back to Stories (view on slashdot.org)

Microsoft Warns Customers Away From RC4 and SHA-1

Posted by Soulskill on Tuesday November 12, 2013 @05:10PM from the avoiding-collisions dept.

Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."

10 of 92 comments (clear)

Min score:

Reason:

Sort:

Pay no attention to the man behind the Back Door.. by icebike · 2013-11-12 17:15 · Score: 5, Insightful

Why in gods name would a company that backdoored their entire crypto stack to the NSA worry that
some crypto code is weak?

--
Sig Battery depleted. Reverting to safe mode.
If SHA-1 is a problem, what does that make MD4? by fluke11 · 2013-11-12 17:25 · Score: 3, Insightful

Microsoft continues to make use of MD4 for password hashing in the Security Account Management part of the registry. The authors of MD4, RSA, had recommended for a long time switching to MD5 and now recommends using MD6, Other members of the security community also recommend using a stronger hash function, combining a salt string with the password and doing multiple rounds of the hash function. Microsoft has failed to do any of these recommendations.
MS-CHAPv2 also continues to be part of Microsoft's offering as well. Support for this is included in their OS for PPTP, iSCSI and 802.1x (and possibly others). As pointed out in the article, attacking MS-CHAPv2 is now as simple as cracking a single DES key.
It is nice the Microsoft is recognizing some of the advice of the security community and taking steps to phase out SHA-1 and RC4. But I have a hard time applauding Microsoft when this is just the tip of the iceberg of weak hashing functions and protocols in popular use in their software.
1. Re:If SHA-1 is a problem, what does that make MD4? by WaffleMonster · 2013-11-12 19:32 · Score: 3, Interesting
  
  Microsoft continues to make use of MD4 for password hashing in the Security Account Management part of the registry.
  Playing devils advocate no password hash is really secure even if you check salt, algorithm and amplification boxes unless password itself is unrealistically good. Sure all of those things help *ALOT* except still not good enough I still wouldn't trust it to protect my user database. Operating under a secure syskey mode is prudent.
  
  MS-CHAPv2 also continues to be part of Microsoft's offering as well. Support for this is included in their OS for PPTP, iSCSI and 802.1x (and possibly others). As pointed out in the article, attacking MS-CHAPv2 is now as simple as cracking a single DES key.
  Still waiting for WP8 wireless to even warn the user before completely failing to validate TLS certificates. Bad enough when a vendor makes a mistake when designing a protocol... When implementing something they KNOW to be totally insecure by *design* .. now that represents a whole new realm of incompetence.
  
  It is nice the Microsoft is recognizing some of the advice of the security community and taking steps to phase out SHA-1 and RC4. But I have a hard time applauding Microsoft when this is just the tip of the iceberg of weak hashing functions and protocols in popular use in their software.
  This is only because it is in Microsoft's best interests their signatures not be hacked as it would among other things doom the trusted platform. They don't seem to have the same level of concern about our passwords being compromised.
  Worth noting even with known attacks SHA-1 is still plenty secure for signatures... For all we know SHA-1 may never see a serious exploit but SHA-2 could be broken tomorrow. (Devil you know vs the one you don't) SHA-1 at least has had some exposure to the real world for a number of years.. SHA-2 currently very little.
  I think the guys who designed original TLS PRF conceptually had the solution about right XORing multiple hash algorithms such that if one fails the underlying thing is not totally doomed. Virtually impossible to quickly resign global trust hierarchy even less feasible to resign code to react to a serious breach.
Re:Pay no attention to the man behind the Back Doo by LongearedBat · 2013-11-12 17:52 · Score: 3, Insightful

Because... the NSA pays MS for backdoors, whereas the Russians don't?
Because... the NSA tries to stay under the radar, whereas other malware often doesn't? (ex. adware, bot-nets. Thus damaging the MS "experience".)
Because... the NSA wants to know your secrets, whereas scammers want to use your secrets? (ex. Credit card payments. Further damaging the MS "experience".)
Just a few thoughts.
Re:The time has come the walrus said... by cheater512 · 2013-11-12 18:27 · Score: 3, Informative

MD5 is broken, SHA1 has been weakened slightly but it isn't broken.
The term broken is only used when it is trivial to crack and/or forge.
Re:The time has come the walrus said... by 93+Escort+Wagon · 2013-11-12 19:07 · Score: 3, Funny

No more RC4? No more SHA1? Next they'll be telling me to patch against WMF exploits.
Thank God we can still depend on ActiveX!

--
#DeleteChrome
SHA1? insecure? by Luke_22 · 2013-11-12 21:33 · Score: 3, Interesting

I can understand RC4.
I can understand MD5.
But SHA1? right now, according to wikipedia, a full collision attack requires something like $2.77M of computing power on the cloud...
maybe a less if you have you own supercomputer, but even at $1M it sound a lot...
So why warn away from SHA1 NOW? what are we going to use? md5? md4? remember that while keccak was chosen as the SHA3, they still have to release the complete details on how it must be implemented -- number of rounds and such -- so SHA3 *NOW* is not an option.
I'll start taking microsoft seriously on this once they phase out MD4, RC4, MD5 from their existing standards and products.

--
"I was gratified to be able to answer promptly, and I did. I said I didn't know." -- Mark Twain
1. Re:SHA1? insecure? by Shimbo · 2013-11-12 21:43 · Score: 4, Insightful
  
  So why warn away from SHA1 NOW?
  If developers are using it today, then you will be next year, and the year after, when attack are more feasible.
  
  what are we going to use?
  I'm not a cryptography expert but if SHA-1 is too weak, and SHA-3 not quite there yet, why not SHA-2?
2. Re:SHA1? insecure? by Anonymous Coward · 2013-11-12 22:14 · Score: 4, Informative
  
  Specifically the 2nd SHA family are usually called SHA-224, SHA-256, SHA-384, and SHA-512
Re:The time has come the walrus said... by fatphil · 2013-11-12 23:52 · Score: 4, Informative

Just plain wrong.

In the field of cryptography, the term "broken" is used whenever the work factor to crack is less than that of a brute force attack. Stevens' 2^61 collision attack against SHA1 means that SHA1 is broken.

--
Also FatPhil on SoylentNews, id 863