Zimmermann Enters Debate on Microsoft Encryption 381
Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"
First rule of Microsoft encryption (Score:4, Insightful)
copyright (Score:4, Insightful)
Re:copyright (Score:1, Insightful)
In 150 years time I assume we'll have a LOT more processing power at our hands.
Re:MS Encryption is a joke (Score:5, Insightful)
For corporations (the target market for EFS), it means that if someone is fired, quits, dies, etc. then their data is not lost foreever.
Comment removed (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:MS Encryption is a joke (Score:2, Insightful)
Re:copyright (Score:3, Insightful)
>>How else are we supposed to get access to all these works in 150
>>years time (or 50 in some countries) when the copyright expires on them.
>Uhhh... Public... Domain?
If the encryption were unbreakable and the keys lost, it would not be a lot of use
Re:copyright (Score:5, Insightful)
Why it is "low priority" (Score:5, Insightful)
Who uses word to protect anything? (Score:4, Insightful)
I guess what it comes down to is expectations of security. It should be obvious to not use word to protect national secrets. Secret love letters to your mistress are still probbably safe from your wife though (unless she happens to be a crypto-expert). In that case it's probbably easier to just use a keylogger, or install a trojan horse.
Indeed: what respect? (Score:4, Insightful)
Re:MS Encryption is a joke (Score:5, Insightful)
Such as, exactly?
"AI spiteful (ex)-employee could easily encrypt and forever destroy sensitive data that is irreplaceable."
Or they could just del *.*. Or format c:. Or burn down the building.
This whole 'spiteful employee' argument is nonsense. The only reasons to have a 'key recovery agent' are to recover password for clueless employees and to spy on slightly more clued employees.
Re:Why it is "low priority" (Score:5, Insightful)
This "there is no program to exploit it, so this security issue is not important"-type of attitude is extremely dangerous. The slogan is to act, not to react, especially with security issues. And Microsoft actually should have learned from their part of history...
Users don't want strong MS Office encryption (Score:5, Insightful)
Sun Microsystems released Star Office, and a bunch of open source wonks built OpenOffice, with better track records. Yet US government offices shun them in favour of Microsoft Office.
I'm not sure why they do, especially an omniscent body like the US government who knows these things exist. It must be because they don't want to use them.
And every day users? Well, users could have taken e-mail content security into their own hands over a decade ago when PGP was out, or eight years ago when PGP for the Exchange client came out. But NO, they didn't want to use it. They could have used S/MIME which was slightly easier to use, but NO, they didn't want to use it.
Users don't care enough to demand strong encryption in their applications. And Microsoft is in business to make money. They aren't going to waste time making a product that no one will buy. And YOU, slashdotters, aren't going to convince users to buy an alternative through fear, uncertainty and doubt.
Re:Encryption easily broken (Score:5, Insightful)
1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.
That doesn't have anything to do with encryption. Anytime you have physical access to a computer all bets are off as far as security. You can do the exact same thing in linux, and most of the time you don't even need a CD. Just add a 1 to the kernel boot options and boot into single user mode. No password required, immediate root access. Sure, you can put a password on changing those bootloader options, but just slap in a linux emergency boot CD, and suddenly you have root access to all files.
Linux encrypted filesystems I know almost nothing about, but I've also never seen a distribution that supports it out of the box. There's probbably one out their, but it's not a mainstream linux feature.
ARRG (Score:2, Insightful)
USE A FUCKING MAC!!! [message authentication code]
cipher == privacy
mac == authentication
Stupid fucking reporting...
Tom
What's left to say? (Score:4, Insightful)
Maybe everyone is just burned out and tired of the topic. We all know that the state of PCs in the world today is a vast, pathetic farce of biblical proportions thanks to MS. What's left to say about it? Windows is a shitpile, but people keep gobbling it up. Just like they gobble up all the other sludge in our culture. Nothing unusual to be seen here. Move along.
Re:MS Encryption is a joke (Score:2, Insightful)
I'm sorry, but if I'm on my death bed and I am not senile, then there is a reason why I have not decrypted my files - because I don't want them opened.
If you're puting personal encrypted material on your employer's computer, then you are already senile.
Re:copyright (Score:2, Insightful)
I bet there was a time when there was a powerful horse breeders lobby.
Re:MS Encryption is a joke (Score:4, Insightful)
Re:copyright (Score:2, Insightful)
What you were trying to sya that it's improbable, not impossible, that you'll be able to break 128-bit encryption anytime soon. You just have to try long enough, but who wants to wait a century to brute-force a single key?
Of course, the attacker could be lucky, and the very first key he tries is the right one.
Quantum computing does stand to make 128-bit encryption useless, though. Some of the very first algorithms written for quantum computers are directly applicable to cracking commonly used ciphers (for instance, factoring huge numbers, or very, very quickly searching through a list).
Re:Employ Mr. Zimmerman (Score:1, Insightful)
Its worth mentioning that any docuemtns that are actually worth protecting should by default not rely on Micrsofts (lack of) security, as it is a known trend that Microsoft fails time and time again to provide adaquate security.
I think that this is a key point. Before faulting Microsoft for using "weak" encryption one has to ask "What was the intent for providing encryption capabilities in Office?" Was the intent to keep the casual user from viewing encrypted documents? Or was it to be of sufficient strength to prevent the NSA from breaking it? From what I've read about this flaw the encryption appears adequete to protect the documents from all but a determined hacker. If Microsoft's intent was to keep the casual person from viewing an encrypted document then this really isn't a flaw.
When you own the playing field (Score:3, Insightful)
Re:copyright (Score:3, Insightful)
The basic concept is to take a completely random stream of characters (numbers, bits, whatever). You record these random characters to a pad, and distribute this pad to everyone who needs to send and decrypt messages.
When you want to send a message, you XOR your message with the random characters. The result is a completely random string of characters. To decrypt, you XOR the encrypted message with the same random characters that were used to encrypt the message.
Since you are combining a message with random data, it's unbreakable.
For instance, you get a string of random characters and try to decrypt it:
#*YRHOIHSDF&VP
What does it decrypt to?
ATTACK AT DAWN
SURRENDER NOW.
GO FOR THE GUN
I LOVE SWEETS!
PAY ME $10,000
CMDRTACO SUCKS
NO HE DOESN'T!
Which message is it? You can't tell, because you can't tell which random letters I used to transform my message.
However, you can't reuse any of the pads, else the message is crackable. You must have a very high quality source of random characters. You must securely distribute the one time pad to everyone who could need to communicate. You must ensure everyone stays synchronized. There's a bunch of problems with one-time pads, which is why it's not more commonly used.
Re:MS Encryption is a joke (Score:5, Insightful)
While I agree that the 'spiteful employee' arguement is largely bunk, the 'employee who quit, got fired, or otherwise left unexpectedly' arguement is not.
e.g. I am a sysadmin, and I store all the incident reports on a Win2k3 EFS box, encrypted to my key. These incident reports are important to whomever is doing my job -- no one needs to see them unless I leave unexpectedly. If I get trampled by a herd of malicious gnus on the way to work, the top-level admins will need access to my data, as will whoever replaces me.
There are two solutions to that -- share my key or use the EFS recoverable key system. Guess which I'd rather do?
Re:Encryption easily broken (Score:1, Insightful)
Slashdot has even linked to a couple of programs that can decrypt a Windows password based on pregenerated hash tables in as short as seconds.
Re:Employ Mr. Zimmerman (Score:1, Insightful)
It's a big, stupid, ugly bug (Score:4, Insightful)
There is a lot of speculation here that Microsoft put in this encryption bug on purpose. That's giving them too much credit on this one. I just read the paper about the weakness. They are essentially reusing the same keystream more than once. That's an amateur level bug that is discussed in any crypto book that talks about stream ciphers. Look in the book Applied Crytography by Bruce Schneier in the section on cryptographic modes. He talks about this directly. This is not a minor threat. It's a gaping hole since a simple XOR of two versions of the document gives you a lot of information.
The bigger question is why Microsoft used a stream cipher for this. As Zimmerman mentions, they are more difficult to use correctly. Although some weakness in RC4 have been found, it is still possible to use it in a strong manner. You just have to be careful. It would have been better to use a good block cipher (AES, Triple DES, blowfish, etc) and a simple mode like CBC. It's easy to code and still plenty strong if you reuse the same initialization vector. Even better would have been a newer mode like CCM.
Re:Why it is "low priority" (Score:3, Insightful)
If I *had* a tool, I wouldn't be sharing it with you. Far too valuable. Generally, *you* wouldn't know if such a tool existed, because if knowledge of the tool leaked, MS *would* implement a fix, making future use problematic.
If the tool doesn't exist, I may well collect encrypted documents in case the tool is available in future - but you did know the temporal risk of encryption, no?
Anyway, in the "real life" of security, things work a bit differently. Almost anything at a "theoretical" level is assumed to be done. Because the black hats wouldn't tell you anyway.
Ratboy.
Re:SuSE 9, too (Score:1, Insightful)
Physical access should not be sufficient! (Score:3, Insightful)
That's simply not true in this case. Preventing access to data when physical security is breached is the primary reason for encrypted filesystems. The thief who has unrestricted "physical access" to your work laptop should not be able to crack into an encrypted filesystem, Emergency Boot CD or no.
If the encryption key is sitting there on the hard drive, protected only by user-based access control (as the grandparent post seems to imply) then the whole setup is horrendously broken. Such a stupid system is equally possible on Linux or Windows of course.
For encrypted filesystems to be meaningful, the encryption key needs to be protected by a decent password that's not stored anywhere on the disk (duh). Sure, it's a PITA to enter each time you boot your computer, but otherwise you might as well not bother.
Re:copyright (Score:4, Insightful)
Re:Users don't want strong MS Office encryption (Score:3, Insightful)
Microsoft mail clients support SSL certificates though. SSL certificates cost you money. SSL certificate authorities provide kickbacks to Microsoft to include their CA key in MS products.
One more reason I hope Firefox/Thunderbird takes the world by storm: whoever controls the client controls which CAs are distributed with it. Oh, Verisign, you're being cunts again. Say goodbye to your CA key. Firefox/Thunderbird/Mozilla will also be able to fund themselves by operating their own (cheaper, less arseholeish) CA.
Just to play devil's advocate (Score:3, Insightful)
If we held car makers and home builders accountable for security flaws, our houses and cars would look a lot different, and they would STILL get broken into. I wouldn't want armed guards patrolling my neighborhood, or to go through an airport-like screening at the corner, any more than I would want to live the RIAA's wet dream of requesting authorization to display any video, sound or image with my own computer.
I wonder if the pursuit of total data security is a phantom, and we just have to accept a certain amount of risk and deal with it the best we can, possibly by not putting as much trust in our machines and networks as we would like to.