Nullsoft's WASTE communication system

Eric Rescorla ekr at rtfm.com
Fri May 30 11:54:52 EDT 2003 

Bill Stewart <bill.stewart at pobox.com> writes:

> http://www.nullsoft.com/free/waste/ - Overview
> http://www.nullsoft.com/free/waste/security.html - Security section
> http://www.nullsoft.com/free/waste/network.html - Network design
> http://slashdot.org/article.pl?sid=03/05/29/0140241&mode=thread&tid=126&tid=93
> - Slashdot discusssion
> 
> 
> Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E
> which does encrypted communications within small groups of people.
> It doesn't appear to have had outside analysis of its security yet,
> but they do invite it, and they say it needs some work.
It's utterly baffling to me why people like this choose to design
their own thing rather than just using SSL. I've looked through their
design documents and glanced at their code they don't provide any
security features that SSL doesn't, and they appear to have made a
number of questionable design decisions:

(0) Their messages don't appear have any sequence numbers, making them
    potentially open to a wide variety of integrity attacks. They have some sort
    of guid but unless you intend to keep a record of all guids through
    a session (horrible) this is only a partial fix for replay and 
    not a fix at all for removal.
(1) They use MD5 instead of HMAC for message authentication. Scary.
(2) They use the same encryption keys in both directions. At least
    they have the sense to run separate PCBC counters. However,
    based on the code it doesn't look like they reset the PCBC
    counters after a bad message is received so you may be able to
    mount a reflection attack.
(3) They use Blowfish (why not AES?) in PCBC mode (huh?)

I don't think it's worth much time analyzing this... Just one
more case of NIH.

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
           Web Log: http://www.rtfm.com/movabletype



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list