News: 1998 Archives
Random Acts of Cryptography
For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.
PRNGs generate numbers based on a variety of factors, such as a user’s mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key. PRNGs fail, insists Schneier, because hackers can intercept the entropy source and thus predict the output. His response is Yarrow, a new PRNG with an expanded source that creates a larger, less predictable pool. “We’ve added new randomness,” says Schneier of Yarrow’s unique entropy pool, “like radio noise, arrival times of network packets, and disk-drive latency. Even if the source is turned off,” he says, “it still works.”…
Cryptographers Seek DES Successor
The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world’s top cryptographers convene to review proposals for a new, advanced encryption standard.
Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of “evaluation and analysis” of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.
“This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work,” said Miles Smid, manager of NIST’s security technology group…
Strong Cryptography Can't Protect a Weak System
Despite oven-hot July heat, a recent trip to Las Vegas to hear Bruce Schneier speak to IT security pros and customers at the second annual Black Hat Briefings (www.blackhat.com) was well worthwhile.
In remarks titled “A Hacker Looks at Cryptography,” Schneier punctured the hype that often surrounds his own area of expertise. You might not expect to hear Schneier, author of the widely praised book “Applied Cryptography,” reminding an audience of a comment that’s often quoted, but that neither of the suspected sources will admit to having made: “If you think cryptography can solve your problem, then you don’t understand your problem and you don’t understand cryptography.”…
Twofish Heads to Washington
A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.
Twofish, the sequel to Schneier’s 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.
Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a “secret key” and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware…
Firm Finds Big Security Holes in Windows NT
Flaws in Microsoft Corp.’s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday. “We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis,” said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. “Any Microsoft NT server on the Internet is insecure.”
Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft confirmed the security problems later the same day…
Cryptographer Slams NT Security
A top cryptographer said Microsoft’s version of a key protocol in Windows NT is so flawed that users should avoid using virtual private network software based on Microsoft’s Point to Point Tunneling Protocol.
Bruce Schneier, a noted cryptographer, said the PPTP in Windows NT 4.0 is so broken it can’t be fixed with patches—a position that Microsoft disputes.
“I believe it’s fundamentally broken,” said Schneier, who authored a widely used cryptography textbook. “What we’re seeing is the basic problem of proprietary security standards. These are really dumb mistakes, kindergarten crypto.”…
Windows NT Security Under Fire
Listen to security expert and consultant Bruce Schneier and he’ll tell you that Windows NT’s security mechanism for running virtual private networks is so weak as to be unusable. Microsoft counters that the issues Schneier points out have mostly been addressed by software updates or are too theoretical to be of major concern.
Schneier, who runs a security consulting firm in Minneapolis, says his in-depth "cryptanalysis" of Microsoft’s implementation of the Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed security techniques that dramatically compromise the security of company information…
Crypto Flaw Found in Microsoft Net Product
MINNEAPOLIS—A computer security expert will announce today that he has found a flaw in Microsoft Corp.’s implementation of a communications protocol used in many virtual private networks.
Bruce Schneier, president of Counterpane Systems here, said Microsoft’s implementation of the point-to-point-tunneling protocol will lead to compromised passwords, disclosure of private information and server break downs in virtual private networks running under Windows NT and 95.
"Microsoft’s implementation is seriously flawed on several levels," said Schneier. "It uses weak authentication and poor encryption." For example, he said Microsoft employed users’ passwords as an encryption key instead of using other well-known and more secure alternatives…
The Final Word on Cryptography
SunWorld readers say this book makes the incomprehensible clear
Abstract
Though two years old, Bruce Schneier’s Applied Cryptography, Second Edition still stands as the definitive work on its subject. It attempts to explain why cryptography has to be so complex and mystifying, and bring clarity to this complex topic, even for the nontechnical reader. (2,200 words)
Two months ago, I made the assertion that there is no book on cryptography that is both readable and nontrivial. I even offered a prize to the reader who could convince me otherwise. The responses I got were a bit embarrassing, because I was clearly unaware of a work that an overwhelming number of …
The Bookstore: Applied Cryptography
If you are seriously interested in computer security, then Applied Cryptography by Bruce Schneier is a must-read. The book is exceptionally literate and accessible. Schneier keeps your attention with statements like, “It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.”
The book is both an introduction to the field and a comprehensive reference. Although some areas could have been covered in more detail, that might have turned Applied Cryptography into an encyclopedia (the book is 758 pages long). Schneier manages a fine balance between conveying information and covering all important topics. The five parts of the book cover cryptographic protocols, including public key, digital signatures, key exchange, and digital cash; cryptographic techniques such as key length, key management, algorithm types, and hardware encryption; cryptographic algorithms including block ciphers like DES, public key, key exchange, and identification schemes; the real world including example algorithms and politics; and source code…
Review of The Electronic Privacy Papers
The Electronic Privacy Papers is not about electronic privacy in general: it covers only United States Federal politics, and only the areas of wiretapping and cryptography. The three topics covered are wiretapping and the Digital Telephony proposals, the Clipper Chip, and other controls on cryptography (such as export controls and software key escrow proposals).
The documents included fall into several categories. There are broad overviews of the issues, some of them written just for this volume. There are public pronouncements and documents from various government bodies: legislation, legal judgements, policy statements, and so forth. There are government documents obtained under Freedom of Information requests (some of them partially declassified documents complete with blacked out sections and scrawled marginal annotations), which tell the story of what happened behind the scenes. And there are newspaper editorials, opinion pieces, submissions to government enquiries, and policy statements from corporations and non-government organizations, presenting the response from the public…
Book Review: The Electronic Privacy Papers
This is not an academically neutral book on the subject of privacy. Both Schneier and Banisar are security and privacy advocates of long standing, and they like to refer to the information superhighway as the information “snooperhighway.” Here, they have collected previously classified documents from both government and industry sources. Coverage includes digital wiretapping, E-mail security, cryptography, the National Security Administration’s perspective on telecommunications, the clipper chip, softkey escrow, and much more. Recommended for all libraries…
Sidebar photo of Bruce Schneier by Joe MacInnis.