1996-03-19 - Re: M$ CryptoAPI Question

Header Data

From: bglassle@kaiwan.com (Bob Glassley)
To: cypherpunks@toad.com
Message Hash: 6f263951329dce5f9d752086aba9789eb769b2ca833c5e51e408601d5719239d
Message ID: <314db317.500238751@kaiwan.kaiwan.com>
Reply To: <Pine.ULT.3.91.960317235407.4724F-100000@Networking.Stanford.EDU>
UTC Datetime: 1996-03-19 15:46:33 UTC
Raw Date: Tue, 19 Mar 1996 23:46:33 +0800

Raw message

From: bglassle@kaiwan.com (Bob Glassley)
Date: Tue, 19 Mar 1996 23:46:33 +0800
To: cypherpunks@toad.com
Subject: Re: M$ CryptoAPI Question
In-Reply-To: <Pine.ULT.3.91.960317235407.4724F-100000@Networking.Stanford.EDU>
Message-ID: <314db317.500238751@kaiwan.kaiwan.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 18 Mar 1996 00:02:16 -0800 (PST), Rich Graves
<llurch@networking.stanford.edu> wrote:

>On Sun, 17 Mar 1996 jamesd@echeque.com wrote:
>
>> At 06:27 PM 3/17/96 EST, Dr. Dimitri Vulis wrote:
>> > I wonder if it's worth it to crack their approval mechanism so we can
>> > add our own crypto subsystems without asking Microsoft's approval.
>[...]
>> Wait until Microsoft makes some oppressive decisions, 
>> or is compelled to make some oppressive decisions.]
>> 
>> I do not expect that any cracking will be needed.  Microsoft 
>> will approve a freeware module for use in America, and then, 
>> alas alas, someone will leak it.
>
>If the only goal is to allow international strong crypto using the
>CryptoAPI, then I agree with the above. However, exploring the CryptoAPI
>internals now, while there is still a possibility that they can be
>changed, is a productive undertaking to the extent that it exposes holes. 

Exploration of the internals are critical for any crypto
implementation.  Unfortunately, this is beyond the scope of my skills,
and requires me to rely upon the talents of you guys, ( Thanks! :) 

Of some relevance: (not intended to branch off topic)
I work at a large corporation who has a strong relationship with MS.
We had a MS Internet Architecture guru in here trying to sell us on an
NT Internet server solution as opposed to Sun which we use now.

We expressed our concerns about the security of NT  versus Unix in
regards to hackability, to which he responded. 

(paraprhased) 
NT is more secure than Unix since NT is newer, few people know anthing
about it, where Unix has known, documented holes in security. 
(Albeit plugged ones. ed.) 

With this *security through obscurity* outlook, I think exploration is
definatley in order.

>If the good guys can find a way to plug an unapproved international
>strong-crypto module into the CryptoAPI, then the bad guys can find a way
>plug in a no-crypto virus or trojan horse. 

Now that's a scary thought!  I need to look further into how they
implement authentication of CSPs.

>
>-rich@c2.org
> http://www.c2.org/hackmsoft/ and other cool stuff
>

- --Bob


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMU2b4O2vJ3dNshwFAQGfKwP+KJWP8m+dtJd+gc71PZ67ABTbZZUw7MOi
BX24B89CQ67eldprcbXdnmxDDnLX25bBDee3EWEy5HTuJD1V9psXBU7VqkaEWnPE
MhBGT2puaZIpGZUq222VdMrdToRsclM4wen6rnoYo8f/PsWWZR2BANCQu20BG0ZR
fgQW2bcIsdM=
=wihe
-----END PGP SIGNATURE-----






Thread