Vista SP1 bringing back door exploit?
By Stuart Turton
Posted on 18 Dec 2007 at 16:08
A US cryptographer is warning that the random number generator Microsoft is bundling with SP1 includes a backdoor exploitable by the National Security Agency.
Random number generators are important because they provide the bedrock for SSL keys, which ensure secure internet communications for web browsing, email and instant messaging. Breaking the random number generator could leave user communications open to interception.
Security blogger Bruce Schneier believes this is precisely what will happen to the
"Dual_EC-DRBG" random number generator employed by Vista.
"There are a bunch of constants - fixed numbers - in the standard used to define the algorithm's elliptic curve," he says on his blog.
"These numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key."
"To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."
Schneier believes that this "secret" second set of numbers are held by the US's National Security Agency, one of the agencies which he claims championed Dual EC-DRBG as a cryptographic standard.
Microsoft hadn't replied to request for comment at the time of publication.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
