Bugtraq mailing list archives

Re: Secure Storage of Secrets in Windows

From: olaf () BIGRED INKA DE (Olaf Titz)
Date: Wed, 19 May 1999 09:42:51 +0300

The Win32 API provides such service. Although in the past it was found
that its encryption was rather weak Microsoft claims to have fixed it,
no one else has claimed otherwise, and its better than nothing.


Since this allows the encryption of user data and Microsoft ist U.S.
based , the algorithm _must_ be weak. Otherwise they could have used
just RC4 with the password as key instead of RC4 with a 32 bit(!)
hash of the password. This is not Microsoft stupidity but U.S.
government stupidity.

With today's CPU power 32 bit of key is not better than nothing.
I could brute force that in one week with my single PC.

Olaf

Current thread:

Secure Storage of Secrets in Windows Aleph One (May 17)
- <Possible follow-ups>
- Re: Secure Storage of Secrets in Windows Nick FitzGerald (May 18)
  - Re: Secure Storage of Secrets in Windows Bronek Kozicki (May 20)
- Re: Secure Storage of Secrets in Windows Olaf Titz (May 18)
  - Buffer Overruns in RAS allows execution of arbitary code as system Mnemonix (May 19)
  - Re: Secure Storage of Secrets in Windows Eivind Eklund (May 19)
  - NetBSD Security Advisory 1999-010 matthew green (May 21)
    - Re: NetBSD Security Advisory 1999-010 Olaf Kirch (May 21)