main

Microsoft Scraps Old Encryption in New Code

malebolgia   on 16 September 2005 - 21:10 · 15 comments & 2322 views

Advertisement (Why?)
Microsoft is banning certain cryptographic functions from new computer code, citing increasingly sophisticated attacks that make them less secure, according to a company executive. The Redmond, Wash., software company instituted a new policy for all developers that bans functions using the DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm, which is becoming "creaky at the edges," said Michael Howard, senior security program manager at the company, Howard said.

MD4 and MD5 are instances of the Message Digest algorithm that was developed at MIT in the early 1990s and uses a cryptographic hash function to verify the integrity of data. The algorithms are used to create digital signatures and check the integrity of information passed within Microsoft Corp.'s products. DES (Data Encryption Standard) is a cipher that is used to encrypt information that is used in many networking protocols. All three algorithms show signs of "extreme weakness" and have been banned, Howard said.

News source: eWeek


Windows Vista Starter Edition
  • Only sold in emerging markets
  • Very feature limited
  • Only 3 simultaneous applications running
Windows Vista Home Basic Edition
  • Equivalent to XP Home
  • Includes firewall, parental controls, Security Center, Movie Maker, Photo Library and more
  • For first time buyer / budget conscious
Windows Vista Home Premium Edition
  • Everything from Vista Home Basic
  • Adds DVD video authoring, HDTV support, DVD ripping support
  • Similar to current XP Media Center edition but with added features
Windows Vista Professional Edition
  • Aimed at the business consumer
  • Can join domain, has IIS web server
  • Akin to XP Pro
Windows Vista Small Business Edition
  • Designed for small businesses without IT staff
  • Backup and Shadow Copy support, Castle and server-join networking, and PC fax and scanning utility
  • Pre-paid access to the Windows Live! Small Business or Microsoft Office Live! subscription services
Windows Vista Enterprise Edition
  • Optimized for the enterprise
  • Ships with Virtual PC & the multi-language user interface (MUI)
  • Aimed at business decision makers, IT managers and decision makers, and information workers/general business users.
Windows Vista Ultimate Edition
  • "The best operating system ever offered for a personal PC"
  • Superset of both Vista Home Premium and Vista Pro Edition
  • Podcasting application, Game Performance Tweaker, possible free music/movie downloads

Share this Article

About the Author

Full name: Unknown
User name: malebolgia
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

Post a comment · Send to friend Comments · There are 15 additional comments
#1 PharosBR on 16 Sep 2005 - 21:36
good
#2 waz on 16 Sep 2005 - 22:46
Hmm... I've just started using MD5 on my apps, guess I'll have to try something else now...
(2 replies) #3 mgleason007 on 17 Sep 2005 - 03:01
What the hell does banned mean? So no one will be able to use md5's to verify data integrity? Horsesh!t. Who the hell is MS to decide what kind of useful apps I can run on MY pc? Yet another reason I won't be switching back.
#3.1 STV on 17 Sep 2005 - 07:22
um...only the biggest software company in the world and like the world's 3rd largest company. That is who they are.

STV
#3.2 zachdms on 17 Sep 2005 - 17:10
mgleason: Read the article before stepping up on the soapbox. They are not disabling it for other apps, they are simply requiring MS developers to stop using (more) insecure crypto. So old apps can still use md5, but new MS apps should not be doing this. It's a win-win situation, really.
#4 dreamthief on 17 Sep 2005 - 04:02
This is one undemocratic and monopolistic decision that i gotta support. Those algorithms are really faulty. There are more secure algorithms to use rather than those outdated ones.
(1 reply) #5 mr_demilord on 17 Sep 2005 - 07:21
Why not Blowfish or Twofish?
#5.1 Jugalator on 17 Sep 2005 - 11:49
AES is a standard
(1 reply) #6 azz0r_wugg on 17 Sep 2005 - 10:30
So what will take their place?
#6.1 Jugalator on 17 Sep 2005 - 11:51
It says in the article... SHA256 for hashing, AES for encryption
#7 mad_onion on 17 Sep 2005 - 12:07
tbh i dont see how any can think this is a bad thing... yet some people still manage it

people complain about security in microsoft products and when they try to imrpove security in general thats bad too. i guess they must be two completly seperate groups of people, but i doubt they are.
#8 redFX on 17 Sep 2005 - 17:16
I think the major problem with developers is that they don't understand when they have to encrypt and when they just need to grab a hash. No software I use thats PHP/mysql uses encryption schemes, they all use 32 bit md5 as a hash which is stupid really.
#9 tiwaris on 17 Sep 2005 - 18:26
It's good that they are ramping up on security, but I personally don't think that MD5 and DES are responsible for all the exploits and bugs that keep on popping out at regular intervals, it is due to poor implementation (coding).
#10 Hatter on 18 Sep 2005 - 19:48
I hope the Messenger group will abide by this, because as it is right now if you enable 3DES in windows XP, you can no longer login to your msn messenger account using any client.
#11 sloppycode on 19 Sep 2005 - 08:56

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.879) © 2000 - 2008 Neowin.net