Zimmermann Enters Debate on Microsoft Encryption 381
Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"
Employ Mr. Zimmerman (Score:5, Interesting)
The fact that so many documents written (especially now) are using Microsoft formats, makes this problem very dangerous.
Its worth mentioning that any docuemtns that are actually worth protecting should by default not rely on Micrsofts (lack of) security, as it is a known trend that Microsoft fails time and time again to provide adaquate security.
People think "wow! encryption, and NOT a lame password". By as per normal, scratch a little deeper and you can see how flawed microsoft code actually is...
I wonder when... (Score:5, Interesting)
Comment removed (Score:5, Interesting)
Re:First rule of Microsoft encryption (Score:5, Interesting)
Consider NSA's track record:
An agreement with Microsoft to ensure insecure encryption would be very out of character for them.
That is, unless they're just a bunch of Linux freaks.
You're asking too much of MS (Score:4, Interesting)
Y'know, asking MS to fix an obscure bug in their encryption that took a dedicated researcher to find is pretty much pointless. Remember - these are the same guys that are having a hard time poking through their code and replacing all the strcpy() calls with strncpy().
Asking these guys to address this is like asking someone to turn off the faucet in a burning building.
Zimmerman bashes RC4, not just Microsoft (Score:3, Interesting)
Re:Encryption easily broken (Score:2, Interesting)
1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.
Reading the linked site, it says that you can *change* any password, not decrypt it. You can do the same thing in unix/linux if you have physical access, I also don't see anything wrong with that. If the data is that important, you should guard the computer as well. In the other case it's handy if for some reason the administrator password is lost that you don't lose the system.
2) Files encrypted in Windows 2000 (the OS I tested then on) were still visible in their directories, despite their contents being encrypted. To me, this wasn't good enough. I wanted the whole filesystem to be encrypted, with plausible deniability that the files that certain files (or even file systems) never even existed. To add injury to insult, I could easily become administrator with the EBCD and get the encryption key easily to break the encryption anyway.
That's where I think (hope) you're wrong. You can change the admininistrator password, but by doing that you'll render the private keys inaccessible. If you want to reset a users password in windows you get a warning that encrypted files will become unavailable, therefor you should use change password. This suggests that the private keys are encrypted using the user's password. When you change your password, these keys first have to be decrypted and encrypted again using your new password. Resetting the administrator password still doesn't give you access to the files in that case.
To protect from losing your files if you forget the passord you can create an emergency disk. This should allow you to gain access to the system to the system in case the password is forgotten. I assume this disk would contain unencrypted private keys for this purpose (never used it, but it shows up on the password related functions). You also get a warning that you should put it in a safe place.
Re:Do they care? (Score:5, Interesting)
As to whether they 'care' about this encryption thing. They are obviously looking into it. But the fact is Office is run by millions of people, so they can't just overhaul the encryption system and release a hotfix without breaking lots of stuff. So these things take time. I do hope they change their methods, though.
Re:I wonder when... (Score:2, Interesting)
This raises an interesting question: what about versioned documents? They'd have to contain several large revisions, but this shouldn't be a problem when I think of the documents that some account managers create here.
Re:Users don't want strong MS Office encryption (Score:3, Interesting)
Why doesn't Microsoft Have Good Security?
people who don't want or understand them
I swear I'm not making this up.