Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security Bug Microsoft

Zimmermann Enters Debate on Microsoft Encryption 381

Golygydd Max writes "I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently by a researcher, Hongjun Wu. Now, PGP creator Phil Zimmermann, dissatisfied with Microsoft's response, has joined in the debate. In an interview with Techworld he castigates Microsoft for their inadequate response: 'The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. ... If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security.' The cynic might ask, 'what respect', but should Microsoft have taken a flaw in some of its most popular programs more seriously?"
This discussion has been archived. No new comments can be posted.

Zimmermann Enters Debate on Microsoft Encryption

Comments Filter:
  • by Anonymous Coward on Thursday January 27, 2005 @09:28AM (#11491690)
    Do not use Microsoft encryption.
    • At least the poster said "if Microsoft wants to earn the respect of the cryptographic community....", rather than saying "...keep the respect...".

      Couldn't you extend the rule from simply "Microsoft encryption" to the more general "Microsoft Security"?
    • Wasn't RC4 closed source until the source leaked out on the web, and they soon found flaws in it, which were patched, and it was a better algorithm for being "open sourced", albeit against it's will.

      Stick to stuff like 3DES, and AES, and I think you'll be fine. But don't listen to me - I'm no cryptographer.
      • by Anonymous Coward on Thursday January 27, 2005 @10:24AM (#11492249)
        Wasn't RC4 closed source until the source leaked out on the web
        The algorithm was one of RSA's trade secrets. It wasn't the source that was leaked but a description of the algorithm. Consequently, third-parties implemented the algorithm and there was nothing RSA could do about it -- it wasn't patented, RSA preferring the trade secret route, and copyright didn't apply because you can't copyright algorithms.
        which were patched, and it was a better algorithm for being "open sourced", albeit against it's will.
        It wasn't improved as far as I know, but the algorithm is sometimes known as arcfour. This is because RC4 is trademarked. Perhaps you were thinking of this.

        Also, it is a little misleading to say it was "open sourced" against its will. Firstly, because it wasn't "open sourced" in the strictest sense but more importantly, RC4 is just an algorithm with many different implementations and an algorithmic description is information. And as we all know, information wants to be freeee.
  • copyright (Score:4, Insightful)

    by oliverthered ( 187439 ) <{moc.liamtoh} {ta} {derehtrevilo}> on Thursday January 27, 2005 @09:28AM (#11491694) Journal
    How else are we supposed to get access to all these works in 150 years time (or 50 in some countries) when the copyright expires on them.
    • by ceeam ( 39911 ) on Thursday January 27, 2005 @09:34AM (#11491758)
      Fear not, Disney is working on it.
    • How else are we supposed to get access to all these works in 150 years time (or 50 in some countries) when the copyright expires on them.

      Uhhh... Public... Domain?

      • Re:copyright (Score:3, Insightful)

        by mlush ( 620447 )

        >>How else are we supposed to get access to all these works in 150
        >>years time (or 50 in some countries) when the copyright expires on them.
        >Uhhh... Public... Domain?

        If the encryption were unbreakable and the keys lost, it would not be a lot of use

        • Is unbreakable encryption even theoretically possible? Someone who is a mathematician must be reading this. Possible? Why or why not?
          • Is unbreakable encryption even theoretically possible?

            Yes, but it's the one-time pad. If you're asking is asymmetric encryption theoretically unbreakable, no. As long as there are a finite amount of keys to try, you can just keep trying them all. How long it takes is the question.

          • Re:copyright (Score:3, Insightful)

            by Riddlefox ( 798679 )
            As has been mentioned, a properly implemented one time pad is completely unbreakable.

            The basic concept is to take a completely random stream of characters (numbers, bits, whatever). You record these random characters to a pad, and distribute this pad to everyone who needs to send and decrypt messages.

            When you want to send a message, you XOR your message with the random characters. The result is a completely random string of characters. To decrypt, you XOR the encrypted message with the same random ch

          • Is unbreakable encryption even theoretically possible?

            I would say not.

            It's really a matter of definition more than anything else. Encrypting something is generally assumed to mean turning it into something which is unrecognisable as the original, but which can be converted back (decrypted).

            If there is a way of converting it back, it must be theoretically possible to find out how, thus it is breakable. Of course, it might be so difficult or take so long that it was unfeasable. That would make the enc

    • Re:copyright (Score:5, Insightful)

      by j0nb0y ( 107699 ) <(jonboy300) (at) (yahoo.com)> on Thursday January 27, 2005 @09:42AM (#11491838) Homepage
      Copyright expiration? Copyrights don't expire. Congress extends them again every 20 years. And they'll keep doing so, forever, since the Supreme Court ruled that it was perfectly okay!
  • Employ Mr. Zimmerman (Score:5, Interesting)

    by antivoid ( 751399 ) on Thursday January 27, 2005 @09:30AM (#11491707) Homepage
    Perhaps Microsoft should employ Mr. Zimmerman of PGP to fix M$'s broken code.

    The fact that so many documents written (especially now) are using Microsoft formats, makes this problem very dangerous.

    Its worth mentioning that any docuemtns that are actually worth protecting should by default not rely on Micrsofts (lack of) security, as it is a known trend that Microsoft fails time and time again to provide adaquate security.

    People think "wow! encryption, and NOT a lame password". By as per normal, scratch a little deeper and you can see how flawed microsoft code actually is...
  • by GillBates0 ( 664202 ) on Thursday January 27, 2005 @09:30AM (#11491712) Homepage Journal
    Zimmermann makes some Pretty Good Points in the interview.
  • by bigtallmofo ( 695287 ) on Thursday January 27, 2005 @09:30AM (#11491714)
    I especially dislike their Encrypted File System (EFS). One of its highlights is that the first administrator account set up in a domain is designated an "Encrypted Data Recovery Agent". What does this mean? If you use your domain login at work to encrypt your data, the administrator has immediate ability to decrypt it anytime they want.

    How is this done? Every file that is written to an encrypted folder by User A has a private encryption key generated for it. That private encryption key is then encrypted with User A's public key and every designed Encrypted Data Recovery Agent's public key. Then either User A or any such recovery agent's private key can then decrypt the file.

    Of course, MS just lets lay users assume their "encrypted" files are private.
    • by gUmbi ( 95629 ) on Thursday January 27, 2005 @09:34AM (#11491759)
      One of its highlights is that the first administrator account set up in a domain is designated an "Encrypted Data Recovery Agent". What does this mean?

      For corporations (the target market for EFS), it means that if someone is fired, quits, dies, etc. then their data is not lost foreever.

      • Until 'someone' *is* the administrator... :D
      • For corporations (the target market for EFS), it means that if someone is fired, quits, dies, etc. then their data is not lost foreever.

        This is yet another solved problem. OS X allows encrypted user partitions and encrypted disk images. It allows an administrative key to user partitions as an option. It warns everyone what is going on when the features are enabled. This is just not that hard. MS did not quite get it right, they need to copy Apple more closely.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Thursday January 27, 2005 @09:36AM (#11491779)
      Comment removed based on user account deletion
      • ...or the user could just delete the file in the first place.

        Or move it to removable storage.
        • ...or the user could just delete the file in the first place.

          You obviously don't deal with typical users. They are the biggest pack rats. This is why disk quotas were created to force them to offload data elsewhere.
      • Glad to see you are back with us.

        A spiteful (ex)-employee could easily encrypt and forever destroy sensitive data that is irreplaceable.

        Or they could just overwrite it and delete it.

        typical user to permanently encrypt data that can never be revealed

        Not sure why you'd want to "permanently encrypt data"... You might as well overwrite and delete it.

      • by 0123456 ( 636235 ) on Thursday January 27, 2005 @09:56AM (#11491953)
        "Imagine the damage that could be done."

        Such as, exactly?

        "AI spiteful (ex)-employee could easily encrypt and forever destroy sensitive data that is irreplaceable."

        Or they could just del *.*. Or format c:. Or burn down the building.

        This whole 'spiteful employee' argument is nonsense. The only reasons to have a 'key recovery agent' are to recover password for clueless employees and to spy on slightly more clued employees.
        • by Proteus ( 1926 ) on Thursday January 27, 2005 @10:22AM (#11492227) Homepage Journal

          While I agree that the 'spiteful employee' arguement is largely bunk, the 'employee who quit, got fired, or otherwise left unexpectedly' arguement is not.

          e.g. I am a sysadmin, and I store all the incident reports on a Win2k3 EFS box, encrypted to my key. These incident reports are important to whomever is doing my job -- no one needs to see them unless I leave unexpectedly. If I get trampled by a herd of malicious gnus on the way to work, the top-level admins will need access to my data, as will whoever replaces me.

          There are two solutions to that -- share my key or use the EFS recoverable key system. Guess which I'd rather do?

      • The employee need not be spiteful, they could simply encrypt important data and die of a heart attack or somthing !!!
    • Microsoft will get way more complaints if file were safe and could not be recovered.

      For Microsoft false security sells, and true security doesn't. So of course they shell out products with "backdoors".

      Now, the RC4 implementation is not one of those, but just a plain bug.
    • You're joking, right? When you use a corporate tool (whether it be a computer, telephone, etc.) you should always assume that your information isn't completely "private", because it isn't. It's the company's. That's what they pay you for.

      As an administrator, if I have an employee leave disgruntled, and the boss asks me to find out why, am I to tell him/her "he encrypted his files, therefore he has full privacy". No, he doesn't. It's our machine. If he wants full privacy, he should encrypt files on hi
  • Don't Worry (Score:5, Funny)

    by Dipster ( 830908 ) on Thursday January 27, 2005 @09:31AM (#11491722)
    It'll be fixed in the next installment. Just give them more of your money...

    Why fix it in a free patch, when they can charge money for a new version that you have a reason to buy?

    • Because they are starting to worry. Lately they have been taking more of hit, and they are starting to fear people actually doing something about it. You don't get to the top of your market without being somewhat paranoid. They'll release a stop-gap to fix it, and then in their next release tout some new feature.
    • It'll be fixed in the next installment. Just give them more of your money...

      Yep. Windows 2003!! Not as good as the next version!

  • Article mirror (Score:3, Informative)

    by Anonymous Coward on Thursday January 27, 2005 @09:35AM (#11491768)
    Crypto expert: Microsoft flaw is serious

    Microsoft should sort flaw and abandon RC4 in favour of better ciphers, says PGP creator.

    By John E. Dunn, Techworld

    Cryptography expert Phil Zimmermann has said he believes the flaw discovered in Microsoft's Word and Excel encryption is serious and warrants immediate attention.

    "I think this is a serious flaw - it is highly exploitable. It is not a theoretical attack," said Zimmermann, referring to a flaw in Microsoft's use of RC4 document encryption unearthed recently by a researcher in Singapore.

    "The lay user ought to be entitled to assume that the encryption produced by Microsoft is adequate. [...] If Microsoft wants to earn the respect of the cryptographic community and the public it must rise to the occasion by producing competent security."

    Microsoft has been dismissive of the seriousness of the flaw, which relates to the way it has implemented the RC4 encryption stream cipher. As explained by Hungjun Wu of the Institute of Infocomm Research, it would allow anyone able to gain access to two or more versions of the same password and encrypted document to reverse engineer the scheme used to make it secure.

    "Stream ciphers have to be used most carefully. Any failure to do this will result in a disastrous loss of security," Zimmermann said. "Even with a properly chosen initialisation vector, you have to run it for a while before the quality of the stream cipher is good enough to use." Contrary to Microsoft's claims that the issue was a "very low threat", he countered that gaining access to a document would not present problems for a determined hacker. "There are tools one can use to cryptanalyse messages in this way."

    Even if the flaw was fixed, in his view a more fundamental problem was Microsoft's use of RC4, licensed from RSA Security.

    "Why does Microsoft continue to use RC4 in this day and age? It has other security flaws that have been published in other papers," adding that "RC4 is a proprietary cipher and has not stood up well to peer review. They should just stop using RC4. It would be better to switch to a block cipher."

    When contacted Microsoft, was unable to commit to a timescale for correcting the flaw but issued the following statement by way of a spokesperson: "Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process."

    Zimmermann, meanwhile, emphasised the need for responsible disclosure of such problems. "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public," he said.

    Phil Zimmermann is best-known as the creator of Pretty Good Privacy (PGP), a desktop encryption program that was powerful enough that the US authorities attempted to have its distribution stopped and Zimmermann imprisoned for writing it. The case was abandoned 1996. PGP was bought out by Network Associates, though an independent company, PGP Corporation, has since been spun out to develop its core technology.

    • "Why does Microsoft continue to use RC4 in this day and age?"

      The same reason they're still using the tired old method of 3 letter file extension to mark file types - backwards compatability. BC is what made windows and MSs bank balance what it is , for good AND bad.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday January 27, 2005 @09:36AM (#11491782)
    Comment removed based on user account deletion
  • Bah.... (Score:3, Funny)

    by CastrTroy ( 595695 ) on Thursday January 27, 2005 @09:37AM (#11491791)
    Bah.... What does Bob Dylan know about encryption anyway. :)
  • Call me paranoid, but it's kind of convenient to security services that there is a flaw in Microsoft encryption systems. Surely if you were desigining a back-door for security services you'd do it in a way that looked like a bug rather than a feature.

    Jolyon
  • I wonder when... (Score:5, Interesting)

    by cerberusss ( 660701 ) on Thursday January 27, 2005 @09:38AM (#11491803) Journal
    I wonder when someone writes a script to google for Word documents, get the protected ones out and decrypt them. Ought to be a fun project.
  • Good enough (Score:3, Informative)

    by Ec|ipse ( 52 ) on Thursday January 27, 2005 @09:44AM (#11491850)
    Well, seeing as how the majority of the world is using their software, they probably think it's obviously good enough, otherwise it wouldn't be used.

    Total bull, but that's why they haven't change anything in IE for so many years.
  • by Anonymous Coward on Thursday January 27, 2005 @09:44AM (#11491856)
    MS considers it a low priority because there is no tool that currently is known to be available that can leverage the theoretical issues brought up in the paper. I agree with them. An issue is "high priority" when there is a tool that can be used by an end user now as an exploit. That is how you prioritize things in real life.
    • by quigonn ( 80360 ) on Thursday January 27, 2005 @09:57AM (#11491962) Homepage
      That is how you prioritize things in real life.

      This "there is no program to exploit it, so this security issue is not important"-type of attitude is extremely dangerous. The slogan is to act, not to react, especially with security issues. And Microsoft actually should have learned from their part of history...
    • So all the time I (black hat) am clever enough to just decrypt stuff and use the information without getting caught, the game plan is to concentrate on the script kiddies. Kewl ;-)

      Justin.
    • Facinating

      If I *had* a tool, I wouldn't be sharing it with you. Far too valuable. Generally, *you* wouldn't know if such a tool existed, because if knowledge of the tool leaked, MS *would* implement a fix, making future use problematic.

      If the tool doesn't exist, I may well collect encrypted documents in case the tool is available in future - but you did know the temporal risk of encryption, no?

      Anyway, in the "real life" of security, things work a bit differently. Almost anything at a "theoretical" level
  • Holography (Score:3, Funny)

    by kdark1701 ( 791894 ) on Thursday January 27, 2005 @09:48AM (#11491887) Homepage
    Am I the only one who saw "Zimmerman" and thought of the inventer of the Emergency Medical Hologram?
  • by Vellmont ( 569020 ) on Thursday January 27, 2005 @09:49AM (#11491895) Homepage
    While Microsoft should probbably fess up and fix the problem, is this really such a big deal? Who uses Microsoft word encryption, and for what? It still sounds like you'd require multiple versions of the same document. That means either access to the data store itself where the document was being edited, or the user has passed around multiple versions to others.

    I guess what it comes down to is expectations of security. It should be obvious to not use word to protect national secrets. Secret love letters to your mistress are still probbably safe from your wife though (unless she happens to be a crypto-expert). In that case it's probbably easier to just use a keylogger, or install a trojan horse.
  • While it is understandable that one wants to be careful with the cashcow, you should at least immunize it.
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Thursday January 27, 2005 @09:50AM (#11491909)
    Comment removed based on user account deletion
    • by Vellmont ( 569020 ) on Thursday January 27, 2005 @10:00AM (#11491994) Homepage

      1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.

      That doesn't have anything to do with encryption. Anytime you have physical access to a computer all bets are off as far as security. You can do the exact same thing in linux, and most of the time you don't even need a CD. Just add a 1 to the kernel boot options and boot into single user mode. No password required, immediate root access. Sure, you can put a password on changing those bootloader options, but just slap in a linux emergency boot CD, and suddenly you have root access to all files.

      Linux encrypted filesystems I know almost nothing about, but I've also never seen a distribution that supports it out of the box. There's probbably one out their, but it's not a mainstream linux feature.
      • Linux encrypted filesystems I know almost nothing about, but I've also never seen a distribution that supports it out of the box. There's probbably one out their, but it's not a mainstream linux feature.

        I know for a fact that Mandrake supports an EFS out of the box. I haven't run the other "major" distros (RH, SuSE) in some time, so I can't speak to those. But, in a corporate environment, the Linux encrypted FS has limited use -- there is no recoverable key infrastructure (which is good in some ways),

      • Anytime you have physical access to a computer all bets are off as far as security.

        That's simply not true in this case. Preventing access to data when physical security is breached is the primary reason for encrypted filesystems. The thief who has unrestricted "physical access" to your work laptop should not be able to crack into an encrypted filesystem, Emergency Boot CD or no.

        If the encryption key is sitting there on the hard drive, protected only by user-based access control (as the grandparent post
      • Linux encryptions (Score:3, Informative)

        by tetromino ( 807969 )
        1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.

        That doesn't have anything to do with encryption. Anytime you have physical access to a computer all bets are off as far as security.


        The grandparent was saying that in Windows, it is easy to recover the Administrator's password. This is bad because you can log in without a recovery CD, and the Administrator won't notice (his password will s
    • you can do this if the machines' encrypted files were encrypted by a local user. this is aimed at corporate work though, where they're domain users. the EBCD and all the other password crackers work on LOCAL accounts, not DOMAIN accounts. if joe blow encrypts his files on his work laptop with his usual domain account, you can't get at them.
    • 1) That password you give your administrator account on your system can be hacked off in under 5 minutes with the Emergency Boot CD EBCD . So much for encryption.

      Reading the linked site, it says that you can *change* any password, not decrypt it. You can do the same thing in unix/linux if you have physical access, I also don't see anything wrong with that. If the data is that important, you should guard the computer as well. In the other case it's handy if for some reason the administrator password is l

      • 3) Built in Windows encryption isn't good enough, forcing you to get third party products to do the job right. This means that you pay through the nose if you haven't got the technical skill to set up a Linux or BSD box running free encryption modules and samba.

      Have you had a look at this: TrueCrypt: Free open-source disk encryption for Windows XP/2000/2003 [sourceforge.net]

  • In the interview referenced in the article, there is a paragraph that states

    When contacted Microsoft, was unable to commit to a timescale for correcting the flaw but issued the following statement by way of a spokesperson: "Microsoft is still investigating this report of a possible vulnerability in Microsoft Office. When that investigation is complete, we will take the appropriate actions to protect customers. This may include providing a security update through our monthly release process."

    Using my h

  • Is there a handy piece of software which lets me read my PHB's documents?
  • by FridayBob ( 619244 ) on Thursday January 27, 2005 @09:52AM (#11491920)
    Their programmers might care, but M$ itself isn't interested in respect from the cryptographic community, because it's something that doesn't matter to their stockholders; it's too obscure for them to care about. M$ only responds to this kind of thing once the news gets out and the public begins to perceive it as a problem. Security through obscurity, remember? Basically, M$ are only in it for the money; a statement that explains their entire track record.
  • Reason behind the weak Windows encryption is not to provide easy out of the box encryption for the masses. The real purpose is to provide out of the box mass decryption for government agencies. Surely Microsoft has been asked to do that by quite a number of them.

    So, cryptopgraphic community perfectionism this time crosses interests of real power and will be ignored.

  • Ha, ha! (Score:5, Funny)

    by 200_success ( 623160 ) on Thursday January 27, 2005 @09:56AM (#11491952)

    Dear security researchers,

    You can try to crack our encryption all you want. Microsoft Office(TM) documents are still the most secure format in the world, since you still won't be able to render them properly even if you manage to decrypt them.

    Sincerely,

    The Microsoft Corporation

  • by gfecyk ( 117430 ) on Thursday January 27, 2005 @10:00AM (#11491992) Homepage Journal
    Least of all your US government. The NSA makes a bulletproof distribution of Linux, and other US government offices shun it in favour of Windows.

    Sun Microsystems released Star Office, and a bunch of open source wonks built OpenOffice, with better track records. Yet US government offices shun them in favour of Microsoft Office.

    I'm not sure why they do, especially an omniscent body like the US government who knows these things exist. It must be because they don't want to use them.

    And every day users? Well, users could have taken e-mail content security into their own hands over a decade ago when PGP was out, or eight years ago when PGP for the Exchange client came out. But NO, they didn't want to use it. They could have used S/MIME which was slightly easier to use, but NO, they didn't want to use it.

    Users don't care enough to demand strong encryption in their applications. And Microsoft is in business to make money. They aren't going to waste time making a product that no one will buy. And YOU, slashdotters, aren't going to convince users to buy an alternative through fear, uncertainty and doubt.
    • by Anonymous Coward
      At MS I was shown a powerpoint slide by the PM on my project from a "confidential" presentation he attended. The slide, as best I can remember it, went something like this:

      Why doesn't Microsoft Have Good Security?

      • good security is hard
      • hard things are expensive
      • users don't understand security
      • users don't want to pay for good security
      • Microsoft doesn't do expensive things for
        people who don't want or understand them

      I swear I'm not making this up.

    • Why no PGP in Microsoft mail clients? There's no money in it.

      Microsoft mail clients support SSL certificates though. SSL certificates cost you money. SSL certificate authorities provide kickbacks to Microsoft to include their CA key in MS products.

      One more reason I hope Firefox/Thunderbird takes the world by storm: whoever controls the client controls which CAs are distributed with it. Oh, Verisign, you're being cunts again. Say goodbye to your CA key. Firefox/Thunderbird/Mozilla will also be able t
  • by Weaselmancer ( 533834 ) on Thursday January 27, 2005 @10:00AM (#11491999)

    Y'know, asking MS to fix an obscure bug in their encryption that took a dedicated researcher to find is pretty much pointless. Remember - these are the same guys that are having a hard time poking through their code and replacing all the strcpy() calls with strncpy().

    Asking these guys to address this is like asking someone to turn off the faucet in a burning building.

  • ARRG (Score:2, Insightful)

    by tomstdenis ( 446163 )
    yes, changing the IV will help, but it's not the solution.

    USE A FUCKING MAC!!! [message authentication code]

    cipher == privacy
    mac == authentication

    Stupid fucking reporting...

    Tom
  • by HarveyBirdman ( 627248 ) on Thursday January 27, 2005 @10:03AM (#11492030) Journal
    I didn't see much coverage of the RC4 flaw in Microsoft Office that was uncovered recently...

    Maybe everyone is just burned out and tired of the topic. We all know that the state of PCs in the world today is a vast, pathetic farce of biblical proportions thanks to MS. What's left to say about it? Windows is a shitpile, but people keep gobbling it up. Just like they gobble up all the other sludge in our culture. Nothing unusual to be seen here. Move along.

  • by DickBreath ( 207180 ) on Thursday January 27, 2005 @10:05AM (#11492049) Homepage
    I see all the posts about how Microsoft encryption is a joke, etc.

    Could it be that the poor encryption security was actually on purpose?

    After all, they were using RC4. It should be secure right? (sarcasm) Isn't the problem simply that they re-used a key stream, or something like that? Something that is a basic design "blunder", but could really have been done on purpose. This might make it easy for certian parties to crack, but it might still seem secure. All of the code is properly implemented. The RC4 algorithm is properly implemented, gives correct outputs for known inputs, etc. The flaw is in how the algorithm is improperly used. Something that could be missed by anyone disassembling the code.

    I'll leave it for someone else to reply here and speculate on the reasons that such a "blunder" might actually be deliberate. (I've got a malfunction in one of the antennas of my tin foil hat. I use the dual-antenna design of tin foil hats.)
    • Could it be that the poor encryption security was actually on purpose?

      Rather unlikely. Their previous encryption scheme was far worse, and they could have kept using it. I doubt there was much pressure from customers to implement better cryptography. (There is little customer demand for increased security, either.)
  • MSFT does not care about quality; it cares about quantity. It cares about profits to shareholders and to the the number of units it shipped. It cares about its dominance in the market. It cares about crushing anyone or anything that competes or threatens their position. MSFT's leadership cares about the company's bottom line and nothing more.

    If they truly cared about quality, there would be much less malware and and far fewer security holes in their products. They would actually care about this encrypti
  • by xxxJonBoyxxx ( 565205 ) on Thursday January 27, 2005 @10:12AM (#11492126)
    In the article, Zimmerman bashes RC4, not just Microsoft. I think he's probably right. Why not use open-standard AES instead of RC4? (Or if you still have RSA on the brain, why not RC6, the RSA algorithm which was a runner-up in the Federal AES competition.)

  • by nurb432 ( 527695 ) on Thursday January 27, 2005 @10:13AM (#11492132) Homepage Journal
    Why care if the ball is leakign air?
  • The creator of PGP is dissatisfied with an alternative closed source encryption implementation?! What is this world coming to! :)

    Lets home MS drops their flawed encryption algorithm. How do the Office alternatives stack up in this respect?
  • Any closed-source encryption scheme is automatically suspect. If an encryption scheme demands secrecy for anything except the intended recipient's private key, then it is vulnerable to compromise.

    Remember, just because you can't solve a problem you devised, does not necessarily mean it is insoluble, unless you proved so mathematically. For example, by expressing the encryption as a matrix multiplication and proving the matrix is singular. Preferably there should be more than one indeterminate variable,
  • microsoft is a monopoly and is not concerned about flaws in its products. the majority of "lay users" will be using them regardless. the "respect of the cryptographic community" is irrelevant to its profit margin, since said community is numerically insignificant in terms of sales, and it is the phbs that make corporate purchasing decisions, not technical experts. what microsoft "should" do, beyond what is in the interests of its profit margin, is a moot point.
  • by big-magic ( 695949 ) on Thursday January 27, 2005 @11:19AM (#11492950)

    There is a lot of speculation here that Microsoft put in this encryption bug on purpose. That's giving them too much credit on this one. I just read the paper about the weakness. They are essentially reusing the same keystream more than once. That's an amateur level bug that is discussed in any crypto book that talks about stream ciphers. Look in the book Applied Crytography by Bruce Schneier in the section on cryptographic modes. He talks about this directly. This is not a minor threat. It's a gaping hole since a simple XOR of two versions of the document gives you a lot of information.

    The bigger question is why Microsoft used a stream cipher for this. As Zimmerman mentions, they are more difficult to use correctly. Although some weakness in RC4 have been found, it is still possible to use it in a strong manner. You just have to be careful. It would have been better to use a good block cipher (AES, Triple DES, blowfish, etc) and a simple mode like CBC. It's easy to code and still plenty strong if you reuse the same initialization vector. Even better would have been a newer mode like CCM.

  • by serutan ( 259622 ) <snoopdougNO@SPAMgeekazon.com> on Thursday January 27, 2005 @06:21PM (#11498178) Homepage
    I understand the reasons why everybody wants their computers secure, and that there's a lot at stake. But consider the security standards we accept in other aspects of our lives. If you have a 2-foot strip of metal with a notch in it you can open just about any car lock out there, and a crowbar can physically rip the lockset assembly right out of most people's front doors. Anybody who really wants to can get inside your house in seconds without undue commotion. All it really takes is brazenness, and maybe a hedge screening your front porch from view.

    If we held car makers and home builders accountable for security flaws, our houses and cars would look a lot different, and they would STILL get broken into. I wouldn't want armed guards patrolling my neighborhood, or to go through an airport-like screening at the corner, any more than I would want to live the RIAA's wet dream of requesting authorization to display any video, sound or image with my own computer.

    I wonder if the pursuit of total data security is a phantom, and we just have to accept a certain amount of risk and deal with it the best we can, possibly by not putting as much trust in our machines and networks as we would like to.

Whoever dies with the most toys wins.

Working...