Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Encryption Microsoft Security Software

Microsoft Warns Customers Away From RC4 and SHA-1 92

Posted by Soulskill from the avoiding-collisions dept.
Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."
This discussion has been archived. No new comments can be posted.

Microsoft Warns Customers Away From RC4 and SHA-1 More

Microsoft Warns Customers Away From RC4 and SHA-1

Comments Filter:

  • Pay no attention to the man behind the Back Door.. (Score:5, Insightful)

    by icebike ( 68054 ) on Wednesday November 13, 2013 @01:15AM (#45409547)

    Why in gods name would a company that backdoored their entire crypto stack to the NSA worry that
    some crypto code is weak?

  • If SHA-1 is a problem, what does that make MD4? (Score:3, Insightful)

    by fluke11 ( 1160111 ) on Wednesday November 13, 2013 @01:25AM (#45409635)

    Microsoft continues to make use of MD4 for password hashing in the Security Account Management part of the registry. The authors of MD4, RSA, had recommended for a long time switching to MD5 and now recommends using MD6, Other members of the security community also recommend using a stronger hash function, combining a salt string with the password and doing multiple rounds of the hash function. Microsoft has failed to do any of these recommendations.

    MS-CHAPv2 also continues to be part of Microsoft's offering as well. Support for this is included in their OS for PPTP, iSCSI and 802.1x (and possibly others). As pointed out in the article, attacking MS-CHAPv2 is now as simple as cracking a single DES key.

    It is nice the Microsoft is recognizing some of the advice of the security community and taking steps to phase out SHA-1 and RC4. But I have a hard time applauding Microsoft when this is just the tip of the iceberg of weak hashing functions and protocols in popular use in their software.

  • Re:Pay no attention to the man behind the Back Doo (Score:4, Insightful)

    by LongearedBat ( 1665481 ) on Wednesday November 13, 2013 @01:52AM (#45409813)

    Because... the NSA pays MS for backdoors, whereas the Russians don't?

    Because... the NSA tries to stay under the radar, whereas other malware often doesn't? (ex. adware, bot-nets. Thus damaging the MS "experience".)

    Because... the NSA wants to know your secrets, whereas scammers want to use your secrets? (ex. Credit card payments. Further damaging the MS "experience".)

    Just a few thoughts.

  • Re:SHA1? insecure? (Score:5, Insightful)

    by Shimbo ( 100005 ) on Wednesday November 13, 2013 @05:43AM (#45410731)

    So why warn away from SHA1 NOW?

    If developers are using it today, then you will be next year, and the year after, when attack are more feasible.

    what are we going to use?

    I'm not a cryptography expert but if SHA-1 is too weak, and SHA-3 not quite there yet, why not SHA-2?

Slashdot Top Deals

Living on Earth may be expensive, but it includes an annual free trip around the Sun.

Close