Word and Excel have RC4 flaw, claim
R.A. Hettinga
rah at shipwright.com
Wed Jan 19 10:05:59 EST 2005
<http://www.theinquirer.net/print.aspx?article=20790&print=1>
Word and Excel have RC4 flaw, claim
Cryptic cross words
By: Nick Farrell Wednesday 19 January 2005, 07:50
SECURITY EXPERT Bruce Schneier claims that Microsoft's Word and Excel
security protection systems have amateurish flaws which makes them easy to
break.
On his blog here, the writer of 'Applied Cryptography' said that VoleWare
breaks one of the most important rules of stream ciphers. That is that you
don't use the same keystream to encrypt two different documents.
"If someone does, you can break the encryption by XORing the two
ciphertext streams together. The keystream drops out, and you end up with
plaintext XORed with plaintext -- and you can easily recover the two
plaintexts using letter frequency analysis and other basic techniques," he
said.
Word and Excel both use this "amateur crypto mistake" Apparently Microsoft
made the same mistake in 1999 with RC4 in WinNT Syskey. Five years later,
Microsoft has the same flaw in other products, Schneier claims. µ
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list