Crypto 'backdoor' in Vista SP1 - bit-tech.net Forums

CardJoe · 19th Dec 2007, 11:57

http://www.bit-tech.net/news/2007/12...or_vista_sp1/1

Microsoft is due to ship a flawed random number generator with the latest Windows Vista service pack, which has the potential to put your encrypted data at risk.

Cupboard · 19th Dec 2007, 18:46

Even including it is a bad idea - someone will use it, either accidentally or being secure only for the pretence of being innocent while some data is nicked. It is a broken feature, with no legit use that I can see, that just serves to increase the bloat.

Silly MS... oh well.

Do we know why they didn't just forget about it and quietly remove it?

Starfighter · 19th Dec 2007, 20:22

So, in order to organise an attack on a computer, a malicious user would have to somehow alter the code of an application, so that it used this flawed PRNG?

This is hardly an issue, as if a malicious user is changing program code, surely he could just make it use his MAGIC_PRNG, which always returns ... 2?

But that would hardly generate a front page story eh?

sendrome · 19th Dec 2007, 21:55

I don't think this makes Vista less secure.

OK sure the Dual_EC_DRNG has a potential back door, but no one knows for sure who has this second set of secret numbers. We do know that no one has published this "Skeleton Key" yet and there is a chance no one ever will. Also, because it is off by default, average users most likely won't ever enable this setting on purpose or by accident.

But yes, it does make one wonder why MS wouldn't just exclude this flawed encryption.... Conspiracy?

DeXtmL · 20th Dec 2007, 10:53

Quote:

Originally Posted by sendrome

But yes, it does make one wonder why MS wouldn't just exclude this flawed encryption.... Conspiracy?

Indeed, why keep this flawed version of random generator in the not-yet published sp1? What difficulty makes microsoft think it's necessary to ship the potential backdoor to us endusers?

completemadness · 25th Dec 2007, 00:51

Its already in Vista (and all other NT based OS's)

I'm guessing its not because they've put it in, but because they haven't taken it out
It might actually be difficult to remove it in a Service pack

19th Dec 2007, 11:57	#1
CardJoe Player Character bit-tech Staff Join Date: Apr 2007 Posts: 7,940	Crypto 'backdoor' in Vista SP1 http://www.bit-tech.net/news/2007/12...or_vista_sp1/1 Microsoft is due to ship a flawed random number generator with the latest Windows Vista service pack, which has the potential to put your encrypted data at risk. __________________ this is joe's non-bit-tech blog

19th Dec 2007, 18:46	#2
Cupboard I'm not a modder. Join Date: Jan 2007 Location: Bury St Edmunds/Durham Uni Posts: 1,840	Even including it is a bad idea - someone will use it, either accidentally or being secure only for the pretence of being innocent while some data is nicked. It is a broken feature, with no legit use that I can see, that just serves to increase the bloat. Silly MS... oh well. Do we know why they didn't just forget about it and quietly remove it? __________________ i7 920, 8800GTS 512, 6GB Corsair all in an Intel DX58SO; 3*320GB RAID5; CM Stacker Samsung Q45.

19th Dec 2007, 20:22	#3
Starfighter Multimodder Join Date: Apr 2004 Location: Manchester, UK Posts: 152	So, in order to organise an attack on a computer, a malicious user would have to somehow alter the code of an application, so that it used this flawed PRNG? This is hardly an issue, as if a malicious user is changing program code, surely he could just make it use his MAGIC_PRNG, which always returns ... 2? But that would hardly generate a front page story eh? __________________ Rob - sennir.co.uk \| Photography Guide

19th Dec 2007, 21:55	#4
sendrome the whole #!/bin/sh Join Date: Dec 2007 Location: Houston, TX Posts: 3	I don't think this makes Vista less secure. OK sure the Dual_EC_DRNG has a potential back door, but no one knows for sure who has this second set of secret numbers. We do know that no one has published this "Skeleton Key" yet and there is a chance no one ever will. Also, because it is off by default, average users most likely won't ever enable this setting on purpose or by accident. But yes, it does make one wonder why MS wouldn't just exclude this flawed encryption.... Conspiracy?

25th Dec 2007, 00:51	#6
completemadness Hypermodder Join Date: May 2007 Posts: 887	Its already in Vista (and all other NT based OS's) I'm guessing its not because they've put it in, but because they haven't taken it out It might actually be difficult to remove it in a Service pack