Wednesday, December 19th 2007
Crypto 'backdoor' in Vista SP1
Microsoft is to implement a random number generator in Windows Vista Service Pack 1 which has a known flaw, described by security researchers as a 'back door'. The weakness could, at worst, allow an unknown attacker to decrypt EFS-protected data and SSL sessions such as used for internet banking and World of Warcraft logons. It's not all doom and gloom, however: the flawed RNG will be bundled with a second, more reliable version which will be selected by default. It does make you wonder why Microsoft have bothered implementing the flawed version, known as Dual_EC_DRBG, at all. The algorithm, approved by the American National Institute of Standards and Technology (which, for you paranoiacs out there, works closely with the No Such Agency), is based on elliptic-curve mathematics and uses a set of constants to 'seed' the generation. It has been determined by security researchers Dan Shumow and Niels Ferguson that these constants have a special relationship to a second, secret set of numbers. In theory, anyone who has the second set can determine what 'random' number the algorithm will pop out at any given time. Which has cryptologists such as Bruce Schneier suitably worried. By default Vista SP1 will use the CTR_DBG algorithm (based on the Advanced Encryption Standard) which is thought to be more secure than the possibly-backdoored Dual_EC_DRBG. As a result, a developer would actually have to make a concious effort to use the possibly-insecure algorithm and thus put the security of encrypted data at risk. Still, it's a disquieting thought that the heart of any system designed to offer users privacy could have such a major flaw and still get shipped to end-users.
Source:
bit-tech
8 Comments on Crypto 'backdoor' in Vista SP1
Ladies and gentlemen I believe we have the new form of low.
back in HS, me and a couple buddies used to hide stupid, childish, BASIC programs in emails and send 'em to each other.
My thought is either Microsoft thinks they can fix this and in a future update or security update will patch and switch it over to this. Or they are looking for compeditors to try Vista and remotely switch it on them and get freebie data . . .
. . . er wait I'm talking about Microsoft. This could never happen @_o LoL
But, no seriously its the patriot act :wtf:
A random number generator to generate strong security keys for each new secure connection, and protected files on a disk.
Even with the weak version it is still stronger than almost all pre-shared 128 bit VPN security keys. They are usually not randomly generated, and usually remain the same for multiple connections. Thus are more likely to be attacked and hacked. However no one jumps on Cisco, or any of the other large security companies.
With some of the stuff MS has going right now, like the laptop security, and drive security software. There is almost no way into personal data minus having a computing cluster, or a supercomputer to break the encryption keys.
This first would need to be broken at it's core layer, and that is only possible by a man in the middle attack, with either foreknowledge of the type of authentication that will be used, and a known private key n the client side.
I'm not saying that it can't be done, but the possibility that your ISP or someone on the backbone of the internet, has cracked your personal RNG's algorithm and knows what key will be used next, as well as that of the banks, and is in a position to crack your information as it is sent, and then forward it on without any additional hops or change to the packets as a good firewall will detect that and kick the connection, do the same for the traffic going back to you, and know what type of connection will be negotiated at both ends, and be sure that the traffic doesn't get rerouted, and if a delayed connection that is time stamped is used not add any real latency to the equation, mebey the could find your username and password for the bank.
EDIT: HEED MY WORDS!
Looking at this qute from the write-up ... It's possible that MS is including both in the event that CTR_DBG turns out to be more insecure than originally thought. They could then revert to Dual_EC_DRBG, or possibly an improved version for additional protection. After all, if CTR_DBG gets completely compromised it would then be less secure than the "possibly backdoored" Dual_EC_DRBG.
Looks to me like a CYA kind of situation.
Just my 2 cents.