Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Scraps Old Encryption in New Code



 By: Paul F. Roberts
2005-09-15
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft is banning functions that use algorithms that have become "creaky at the edges."

Microsoft is banning certain cryptographic functions from new computer code, citing increasingly sophisticated attacks that make them less secure, according to a company executive.

The Redmond, Wash., software company instituted a new policy for all developers that bans functions using the DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which is becoming "creaky at the edges," said Michael Howard, senior security program manager at the company, Howard said.

MD4 and MD5 are instances of the Message Digest algorithm that was developed at MIT in the early 1990s and uses a cryptographic hash function to verify the integrity of data.

The algorithms are used to create digital signatures and check the integrity of information passed within Microsoft Corp.s products.

Resource Library:
DES (Data Encryption Standard) is a cipher that is used to encrypt information that is used in many networking protocols.

All three algorithms show signs of "extreme weakness" and have been banned, Howard said.

Microsoft is recommending using the Secure Hash Algorithm (SHA)256 encryption algorithm and AES (Advanced Encryption Standard) cipher instead, he said.

The change is part of a semi-yearly update to Microsofts Secure Development Lifecycle policies by engineers within Microsofts Security Business & Technology Unit.

To read more about the importance of encryption, click here.

Developers who use one of the banned cryptographic functions in new code will have it flagged by automated code scanning tools and will be asked to update the function to something more secure, Howard said.

Eventually, the company will also remove vulnerable cryptographic functions from older code, though that will take longer, he said.

"Threats are constantly evolving, so its important to stay one step ahead," he said.

"Its about time," added Bruce Schneier of Counterpane Security Inc.

Microsoft should have ended use of DES, MD4 and MD5 "years ago," and is only being prudent in doing so now, Schneier said.

However, the companys "case by case" approach to banning SHA1 is more aggressive, considering that theoretical attacks on that algorithm only appeared in February, Schneier said.

The theoretical attacks on SHA0 and SHA1 were developed by Chinese researchers and have some experts predicting that those algorithms will soon be considered too vulnerable to rely on.

The NIST (National Institute of Standards and Technology) has scheduled a workshop in October to discuss alternatives to SHA1.

Using vulnerable encryption algorithms could expose sensitive data in Microsoft systems. But attacks on those algorithms are still unlikely, given other, easier to exploit holes in the software, Schneier said.

"Theres just so much thats worse," he said of the other security holes.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Scraps Old Encryption in New Code
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}v6Ew>-5-YKNgw!1EjHʗdߟK3nt$_:l;i["PU( AH c-JХ&$4I5*2du%CԲ>Hnw2v53OL ~}@nmFwD%x_'Щ=ѩ€wɄ_jx/S}L=F\3Ѣab ^Pk$ȁ_ xEJrD%ߙE!xeG$oQP}ؾ䙿Q=2p|ߙS6BT!|HJ%hGQu37;z'fgB(ƻFzir7@Sѡ*v25vKn@^ cLȾ𷭻7ԇɿTu6{R#-,v2I*-b;:9z u08bqj9lfOM nO%(֝9 ]ӧ^bARxfhQ/*!1lpn+j!y'A?̠cE[#Uֶ5]f:s8$sz3rx󜰑Hr6н /t踺o:vtT`_eY73mhÛM}yhijPʊr+%_9ߋWwm8we{2g:7j/ݖRT5MQ*E2C|,ݾжG^׵Vh7O:Y\t>7Zwv@Z d}+5 9`Z,rG8y_4'6tt^XyFFI/ln+9MюR>ƹY3(2,TYީdni\WWn'W7fٚY jiEd-_Y1o!VkiK:Wy"+|q.5 0\6:֪׷V1?x?-u=kh2 `=t8LsrP{dN;'/ 2Oǭ H|;)nCzn{&j ݒEdB:X]KŗGɏ5|#Úy >L[7ȔSHu t^uEjR᭱J+҄M9B:A`ܼfNR49V͠8蟉$Wm4@r1XSl؅ Ro4% X\U>hq"E[Ţ goF". 2#zB(pHqbFN쥺bϡ{eusCzlNVҒ+1Wb{熻(!y޾Yt8%EڍnS3G#вnZaM}{Q++JjGyxQѯ+&rN f[Ԗ-P)uguov~OCZE>Otvϧ0@@=: M/6C˥vnpb>#ä7Xxȿ] cO%_ <)fՌV=H:6(Z׃`c˦M@B9;ǽޚB,Qݻi{`y1&բw@AXtu'C}Q({r`@ݛS9·[ݴiǀԘ)3jJdN˕ }*@F.$H@|t"AђF (4 g3cX"C"'A7W;.V \(y" m':Z髅}!vn4 {TKh!+K@fsf`(4{~X9!{MfT`[ᛥDKak`F^bN+DMASII\;ZU*.36iÔCПϦϡ Gx~lj7˄87F#shB?>fѺ)Eu&玈C3^ ~2Ӄ-=Ȣ&5l}ja l4Tw)fFfOw |ZX`>q|I0ŧ5+=;dp; y_(ܼ? b>H 8_gMYh(`'pC!f8S%yew{RńgaE8F<b5k%ӻnR7=KęR48')LasW|]Ө@KӬXKuoo[1(ĿKúJj!w -Ho`koռE_xue8HaK-#r`}έE6Kh/00Ϳɬ];6Ϟ#+9UV*U&G,-3\tib9'y< ,D0(2n( R&a+LҨ`OgAu,0Hww>O?}]Pap‘"]jA4dKx@U)L19b 2"*[PTB8ᦼt߀buXQ ]:}Rː 0gted{-> ITʥfrhEU-jT9 ^ Wٹ2:ƛ! wF#~y90;_a4uҧה{{}u>pȥK-ދ cZ$ c`׊  +RUs5s bSxt b*䲢-?}+]>F]h!.־3 X@P A6+8SӞ,ϭi~\!'؁-_k>S ,r޹e=Re'WVPqi=p;xz跸4g@^5{??êažJRΩ5oVyE0֫v-fdaDGw8bC-YM~gӭH5ysV9y]%fZ+f1yߚޢUzrylIdϲgf;ت+_Nt8ߙ]?`̧v/W e05u 2 \S1ÛL>Um{2~ &:Ω0-aNx[2|'@dk)3NQƫgrf>+RL>lv''{GwDF$ۭǤ#̍oe?f#J7pT J $ +A:e̡'sWqD}[{RUO4ịV3C2 e 4v=.EЋv}c]MDo4Ac#&a\ixm"=Z1Mu @mw53UXC8fSql'iV&p]w3M">ҁh 03R^++obP[/IS0:;b4Dޏ.}i4}ֹIgv0qn{qNkv. 39o4?{0cq O4 }Ej^6~>$#:.Nf-ø@oٳP K1#D1>`xߋ]=co/맧͋a4/ėdO:?wDZ͋u׹< rDpA.YF>9i5WǍ5@k;d4ɱ(3zi8 6 B@ y˸tNWY0z!BZUc1z Aq81K7xExW(kpL6bsZ;tZNdp j]h㿜QG$ r$0rJ`":Q9;6?m[ħ{, /䎑=:$SQ([wiQuKb)-|B<9sxР#%tBI[<Y'ƈ&H. 觡fr5Z!*=[eb{@ذƇ{6wg3K;/̃,P-Y+HB$/i\A1'V0V#["| -& +y-EY-Vy;I81 <}<\9$YguOJIbӝmbi,i;x9 vb;2x;xZ1?ݮpnezjo;t =z{j]Sq A/g]s>ͥ0qj8;e=/P.jsRɵi:3S7UЪ3d]YFsFΚowؓ9P7˝۽dNiamǡ850z^t,4P$YUղZ-WU $]te% >&Yp2&jlځ{-3(!GvoC]^l_sT7?Wgp w. z 7>+-R!EEwWcU OWyiQrȓEDo!i>Ro14+-*z3]}z[fvÏ9"i !N;x4dtY ~AXYuwVo2l8s@2s&8lqd3h l?|nwkJdjl 8!Q"hdoMp٢h2[" a' jYC,G p$|+؊w'GG?[M򽵢zp:qp*/9ۯLmZS|  \(.i{\na.'xy7pe\ڊ}fK~~'v/il`05xnVЌ̳$tQUsR'2&_fX^''\/G_zX֕8үsfDUHobcFxj *uJs(s\`g3!?*G><YiU)Fg6. /pe=儸%N HB1T0wzt">b 3G{ipQyk51%&Uv@٠Ŝ$,!ue"8/Ãd'Zw>SpG|6d(Nۼ,X FR˱~>w(P6ʭ1˝yAZH jMA>wBdt5mhvEBpOӔ׆.H[<8H=zgadS?6gYIlOT _p'(,}ǽ.5}/E/˳/Iov!D= T};MR,0A樘/il]ME~+܀ O-+'Y?[b*3pfF&4 Ȧ>#'u (3b21+)kؘjʿɠ>mj#aeѶY}D/{j17\OxZ]*Z%uI1'4LҢL+a  3O&[` +j;2RIZ]]9cPuK:@?~wHǮs灠~fWxҵޠUq+)^&hě$IM&mlM& |]hMsCU4)l+g@[ \dmabQH-u8H|N-)*D "<>N7tV.}$-2zmX%lYKV~'יڎA-TsuC !sRxLPӈ0gsU 8AோឃJB^~Nd"+]f5eqp%8 Zdddd~'VԴӝ̑Jz_srz ҵIiP]*Ņ a>L0Wޯ2]u&m OFlsǶza#*`gbR?0}8t%\ 7 E! x'/@h1gά;cFtQ=-9( =סi&`N5$4#:ao2 M6Tr0!)n`Z~3};.:x+/LѡU-9U8%Wg>Q` O~^3tܱn$.79S^7%v ""!M~3{z }wPo>o>o>o>WJ}viRA"ʮ c0E&].ccz{$xo$ {_[!lBvx;3mݲՠtxưo|Do u6~7~+3O=!['+PT%f+/KmM;0eoB% aȚ GKzB"[=/ ^ׂ^u=hx3zD8$tEG^+ {v½/K[CAjcJ岦u UIPuޕHOtd=)y|<7-@Х+[=,׍D^W1:6@t#~M5Cf?OjxP5Փ6|i#[ᅕtX7` ZzZK"8ƛv0E%omyW|}Ϟ[ Z! X1ϖ7F.)Jh S̙\hDW{Pt'߂]~ҿ!F&wmZm/f aJsvm6Xooڔ:fFR3o ZߦLjm_mau ^nF/߹lȪhF̲.:t)y۴RIR#6=5Լجw=>(' ƗY'R ZHgc9#y`0T2̬,>dn<fȣy|+1;>Sj έco(x_ڳK۪_ObW-J F`ꖵX 'Cat`b%1Y~Gj wZl(d-cPC٩>hwWkgrxsRyXFʼnݱYx\(Z@lng+h)T9T\]2| 5;IH !:-Br86_}w/2yWA3 0.$o,S\%ͦ0ڿ0 PCu&[y珱oD= ? KD)PG%A~03u?~/#&>y| [D p\x?G*noF@ M| o:| ZsʉmOWxLI-qmb2B,o {.C,6a Ⱦ3[ĆWc#cYx|^C7i.Fe9LXPOl b$FyA x!Fv{Kb+.I6u;$Q`+jj5A^ GM0!ckr|D,?t"V.+>l?QX2q )_R6`;TPm.MEfNȢi4\1\Zr^:XuRE.$˘x< g&OgLHkĘx=l8vlNz tFuT Y*Z!3sqwCaͧ58֍qꓚbfƆX50VzZ3XvX5ĮVڹ֪q1yK,yΜmP™UDUЩâ-*<1;,u ^vAO$R(#ZƒM Ӱp-|2I?NRUB9wqfۘrT#-b|4[o_C)%WCGbQXJ#-<6|z`nJ\ڣn#  Z>W.&0o@3Rtafm5D&ˇtxZډ\Dk$P8{s^@r|w\כ5Q#KǃP xWx.5"¯[I{i >diӹDS:u^`#i7t]st Ws> aqPt^۫u`%g!?̊ۂbo5Jۅ]aIJ\#%N&0rۺmx׌eS$:N#bV¯R^fJx+nO5qKY%Xb fZ#ZIh-%5J3,>4¿D\ E d )E[)|Udwߠ~z*ܟOjf} Br{=m~#Ɩŷ}*티4; X4>;(17uҤ`(8N!:|x&KVxKB?{tQfـjcEf~9:td;%6ȭT<$&s؏py;$N!,E||z['AU}H>Kl18hb#3@|0\ǵ; PoEjz.zxX26 <S]P h}`fYǾʀ9$.+Ja S3 xt%lˮ:7pa)~rEAHSe^~36?^]tvHE ?3*⊌F2*mM]nI79k4Nc-i`Ik@Jz>&'qbx c^dN& dZ_jAxv|4/[7 T6CĊ1gKi6%_A1R| Q tR|=tQ:..( oIYP,(ϏB5ētcSJDmn$|s ^u6|XL?q9"([]ă0T]w7ّ_O*Ayp͒uf~6t ZR1E&=2db[7g%iD<&1.ycq ^yN4Xɭ=jpm?-o= =܇>RXX_1[)%< L겂OJBveX zqkwy= NfQ3{8~mBOcz%29uW0`A5#i2bg4t\K-;HIQko7}3e 9\:9j4Hqykv.qչƓN֊_,'ԝ闓嗳EyLfbv>L4mME`ڳy<2 gv)sC9-j6WC\R9V^JM-(J*Q^e5DM@ +8 C!~jԊjm9ޗ g5^L˒sFN#EYU9mzx9l0}5S܄qP BvIt.Z`Rbc+#L)I)'uzJy;)@FJ /?CJ?|Oϛys}y4SkC)CL"LnRʿ/oV |jiNoNOolgŸ()_|)P~R(GJy)0){s"?0~)ׁwRI?/r qeW?W))wn =^ ~ח_sZ99@)rSڿN\'I)S~ SBv/"苴K Oi射8K)@y>+*P/ҮuR:s?S/)^}NV&/˓i|]!,.5PVO[k3/YSݴQ TVl<-t&l\ef(-@B^@abPzC,?fЯ~qžnEտh|ZͱOWUq49ŲpN!3J01| H-M ԳpNz?8 a箨%g`;!J ۘs~o̮Fh@R%| WK[- b=]_rdRL`FTMVY)q0ZQ%rF(B4|O۴W ]7tCrc<{+4wаY-P=^?"K&^kUv]ŗ1 {7/X<gu~oG2d S%bbj{ˈD`T|Jx^̽Y p+wH2hؐM ؒ9Nح? |vLJ3{?7gB΄[4пCs%(uL R>X ءfn%c$QVɐ"9<61wH P,dj#V}ܣ 0luy9o"zj.Ǔ(0z.:Ƥe @ މ&agMu̸Ʈ,/]Nd~$pOf@L V(6>'޺$b5V$ǖ2x[%05%Yq1ldfqA(we6Lm (K,r'37$ \ؓǀJq}tPpzuuʱ D>b类Ɲ Z;Xœj@@|v~jzCfB~ήTǓȘW b0F>K_cH0q?JhBv]!6 R Ň%Oi٭1/s}Lx F ]OxŶ/G=& L1r^ ɡ=$>}T.Q 5sEEבE,&JhӄZ{fBN`';=Ǧ1eo;^/X% #,xH𵝦NԣM-N2LTK~Pڄ!نIf;W1gFy`IϐRȿK)q< h k۩#tZwkdY9H|&zU p$.6=j"2: gK“J'rJo0^R s]qSum c|@ăx!$kUp|"DϷϒƔLU"z̴4;Dl3%Yz'ޒ{־0 ;C?BشpFJt\r$pfP'\w|7(6؋|!Og rw<p2I0n9ivs[D:9A&{x =Pŗ;6) m'#8>\mQ޺%76x}RG1Su ZU|J6A1ZEi#{@ ](ۉnFTx %`GYU`Kr[Vmx4:~;ݺkӋUg{**u9\7l-* XGڢZuQaW8n`Ppq9qf,iJ(aZ!%իr-^cdX$֬-LE")ԝa:(eG z|k|FXKz:\Mhcy0ѕDM1F(ͧ,13,@\փ W{څGSY6:|,݀bVS"Nd׊2q-9=O9N*D#la,8>r3 ekEj j.t3R0yqBA0Sa2$Y