News: 1998 Archives
For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.
PRNGs generate numbers based on a variety of factors, such as a user's mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key.
The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world's top cryptographers convene to review proposals for a new, advanced encryption standard.
Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of "evaluation and analysis" of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.
"This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work," said Miles Smid, manager of NIST's security technology group.
The AES conference is being held a few days before the International Cryptographer Conference, enabling leading cryptographers from around the world to review the proposals, Smid said.
Despite oven-hot July heat, a recent trip to Las Vegas to hear Bruce Schneier speak to IT security pros and customers at the second annual Black Hat Briefings (www.blackhat.com) was well worthwhile.
In remarks titled "A Hacker Looks at Cryptography," Schneier punctured the hype that often surrounds his own area of expertise. You might not expect to hear Schneier, author of the widely praised book "Applied Cryptography," reminding an audience of a comment that's often quoted, but that neither of the suspected sources will admit to having made: "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography."
In his talk, Schneier added a bit, so to speak, to the popular top-10 format, building his talk around the top 20 causes of cryptographic failure. "Most cryptographic products are not secure," he asserted, emphasizing that cryptography itself is stronger than it generally needs to be, while the rest of a crypto-based system often falls short.
A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.
Twofish, the sequel to Schneier's 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.
Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a "secret key" and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware.
Flaws in Microsoft Corp.'s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday. "We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis," said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. "Any Microsoft NT server on the Internet is insecure."
Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft confirmed the security problems later the same day.
VPNs increasingly popular
The flaws weaken the security of so-called "virtual private networks," or VPNs, based on NT and point-to-point tunneling protocol, or PPTP.
A top cryptographer said Microsoft's version of a key protocol in Windows NT is so flawed that users should avoid using virtual private network software based on Microsoft's Point to Point Tunneling Protocol.
Bruce Schneier, a noted cryptographer, said the PPTP in Windows NT 4.0 is so broken it can't be fixed with patches--a position that Microsoft disputes.
"I believe it's fundamentally broken," said Schneier, who authored a widely used cryptography textbook. "What we're seeing is the basic problem of proprietary security standards.
Listen to security expert and consultant Bruce Schneier and he'll tell you that Windows NT's security mechanism for running virtual private networks is so weak as to be unusable. Microsoft counters that the issues Schneier points out have mostly been addressed by software updates or are too theoretical to be of major concern.
Schneier, who runs a security consulting firm in Minneapolis, says his in-depth "cryptanalysis" of Microsoft's implementation of the Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed security techniques that dramatically compromise the security of company information.
"PPTP is a generic protocol that will support any encryption.
MINNEAPOLIS — A computer security expert will announce today that he has found a flaw in Microsoft Corp.'s implementation of a communications protocol used in many virtual private networks.
Bruce Schneier, president of Counterpane Systems here, said Microsoft's implementation of the point-to-point-tunneling protocol will lead to compromised passwords, disclosure of private information and server break downs in virtual private networks running under Windows NT and 95.
"Microsoft's implementation is seriously flawed on several levels," said Schneier. "It uses weak authentication and poor encryption." For example, he said Microsoft employed users' passwords as an encryption key instead of using other well-known and more secure alternatives.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.