Zimmermann Enters Debate on Microsoft Encryption

Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"

MS Encryption is a joke

[bigtallmofo]

I especially dislike their Encrypted File System (EFS). One of its highlights is that the first administrator account set up in a domain is designated an "Encrypted Data Recovery Agent". What does this mean? If you use your domain login at work to encrypt your data, the administrator has immediate ability to decrypt it anytime they want.

How is this done? Every file that is written to an encrypted folder by User A has a private encryption key generated for it. That private encryption key is then encrypted with User A's public key and every designed Encrypted Data Recovery Agent's public key. Then either User A or any such recovery agent's private key can then decrypt the file.

Of course, MS just lets lay users assume their "encrypted" files are private.

Article mirror

[Anonymous Coward]

Crypto expert: Microsoft flaw is serious

Microsoft should sort flaw and abandon RC4 in favour of better ciphers, says PGP creator.

By John E. Dunn, Techworld

Cryptography expert Phil Zimmermann has said he believes the flaw discovered in Microsoft's Word and Excel encryption is serious and warrants immediate attention.

"I think this is a serious flaw - it is highly exploitable. It is not a theoretical attack," said Zimmermann, referring to a flaw in Microsoft's use of RC4 document encryption unearthed recently by a researcher in Singapore.

"The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. [...] If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security."

Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure.

"Stream ciphers have to be used most carefully. Any failure to do this will result in a disastrous loss of security," Zimmermann said. "Even with a properly chosen initialisation vector, you have to run it for a while before the quality of the stream cipher is good enough to use." Contrary to Microsoft's claims that the issue was a "very low threat", he countered that gaining access to a document would not present problems for a determined hacker. "There are tools one can use to cryptanalyse messages in this way."

Even if the flaw was fixed, in his view a more fundamental problem was Microsoft's use of RC4, licensed from RSA Security.

"Why does Microsoft continue to use RC4 in this day and age? It has other security flaws that have been published in other papers," adding that "RC4 is a proprietary cipher and has not stood up well to peer review. They should just stop using RC4. It would be better to switch to a block cipher."

When contacted Microsoft, was unable to commit to a timescale for correcting the flaw but issued the following statement by way of a spokesperson: "Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process."

Zimmermann, meanwhile, emphasised the need for responsible disclosure of such problems. "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public," he said.

Phil Zimmermann is best-known as the creator of Pretty Good Privacy (PGP), a desktop encryption program that was powerful enough that the US authorities attempted to have its distribution stopped and Zimmermann imprisoned for writing it. The case was abandoned 1996. PGP was bought out by Network Associates, though an independent company, PGP Corporation, has since been spun out to develop its core technology.

Re:MS Encryption is a joke

[Anonymous Coward]

You're using a company computer on a company network. If you want to have private files, use your own computer on your own network.

The reason it's implmented like this is that this is how companies want it to work. No one would want an encryption system which would leave potentially important company documents encrypted without any way of getting at them should the person be unavailable (holiday, sickness, died etc.)

Good enough

[Ec|ipse]

Well, seeing as how the majority of the world is using their software, they probably think it's obviously good enough, otherwise it wouldn't be used.

Total bull, but that's why they haven't change anything in IE for so many years.

Could this have been ON PURPOSE?

[DickBreath]

I see all the posts about how Microsoft encryption is a joke, etc.

Could it be that the poor encryption security was actually on purpose?

After all, they were using RC4. It should be secure right? (sarcasm) Isn't the problem simply that they re-used a key stream, or something like that? Something that is a basic design "blunder", but could really have been done on purpose. This might make it easy for certian parties to crack, but it might still seem secure. All of the code is properly implemented. The RC4 algorithm is properly implemented, gives correct outputs for known inputs, etc. The flaw is in how the algorithm is improperly used. Something that could be missed by anyone disassembling the code.

I'll leave it for someone else to reply here and speculate on the reasons that such a "blunder" might actually be deliberate. (I've got a malfunction in one of the antennas of my tin foil hat. I use the dual-antenna design of tin foil hats.)

Re:Next Microsoft Crypto Method?

[Laurentiu]

*grin* [decode.org]

Re:First rule of Microsoft encryption

[Anonymous Coward]

Wasn't RC4 closed source until the source leaked out on the web

The algorithm was one of RSA's trade secrets. It wasn't the source that was leaked but a description of the algorithm. Consequently, third-parties implemented the algorithm and there was nothing RSA could do about it -- it wasn't patented, RSA preferring the trade secret route, and copyright didn't apply because you can't copyright algorithms.

which were patched, and it was a better algorithm for being "open sourced", albeit against it's will.

It wasn't improved as far as I know, but the algorithm is sometimes known as arcfour. This is because RC4 is trademarked. Perhaps you were thinking of this.

Also, it is a little misleading to say it was "open sourced" against its will. Firstly, because it wasn't "open sourced" in the strictest sense but more importantly, RC4 is just an algorithm with many different implementations and an algorithmic description is information. And as we all know, information wants to be freeee.

Re:Encryption easily broken

[AnonymousDot]

• 3) Built in Windows encryption isn't good enough, forcing you to get third party products to do the job right. This means that you pay through the nose if you haven't got the technical skill to set up a Linux or BSD box running free encryption modules and samba.

Have you had a look at this: TrueCrypt: Free open-source disk encryption for Windows XP/2000/2003 [sourceforge.net]

Re:copyright

[ajs318]

Any encryption algorithm is susceptible to brute force. However, the fewer times the key is repeated in the message, the more indeterminate variables. In the limiting case, where the message is shorter than the key, you have effectively a one-time pad and every guessed plaintext is equally valid. For example, the plaintext phrase

DEFENDTHEBRIDGEATNOON

might encrypt as

PVTJRBUTYMYUQAZVCAHNU

but can also decipher, equally plausibly, as

ATTACKTHEHILLATSUNSET

or even

MYDAUGHTERHASTHEPILES

Additionally, any kind of symmetric encryption must be considered weak; because if you can recover the encryption key somehow, you have the decryption key.

Re:Encryption easily broken

[Rich0]

Well, it isn't reversible encryption - they are hashed. However, the NTLM hash function is easy to brute-force.

NTLM hashes should not be stored on any system where security is even remotely important, for this reason. The newer hash function is secure (assuming the password can't be guessed).

Re:You're asking too much of MS

[spectecjr]

If they're only replacing strcpy with strncpy, they're not actually fixing the problem.

They didn't. The original poster was lying.

Instead, they completely rewrote the C library functions in much safer versions, sidestepping that problem entirely.

MS is well aware of the problems with strncpy. Read their blogs some time.

the Microsoft StrSafe library [microsoft.com]

Schneier on RC4 Flaw

[Pan T. Hose]

If you want to read about more technical details and social implications of the RC4 flaw, I highly recommend starting from Bruce Schneier on Security: Microsoft RC4 Flaw [schneier.com] (January 18, 2005). There are a lot of informative links and interesting comments there.

Linux encryptions

[tetromino]

1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.

That doesn't have anything to do with encryption. Anytime you have physical access to a computer all bets are off as far as security.

The grandparent was saying that in Windows, it is easy to recover the Administrator's password. This is bad because you can log in without a recovery CD, and the Administrator won't notice (his password will still be the same). In Linux, obtaining the root password is not so easy by default (because shadow uses a DES+salt hash by default) and nearly impossible if you set it up properly (if you use MD5 hash, which is the default for SuSE - don't know about other distros).

Linux encrypted filesystems I know almost nothing about, but I've also never seen a distribution that supports it out of the box.

As far as I am aware, every modern Linux distro supports encrypted filesystems out of the box (filesystems, not files - so the enemy can't even see your directory structure). Google for cryptoloop, and try it on your box... I personally use it for encrypting my swap partition.