From: amanda@intercon.com (Amanda Walker)
To: cypherpunks@toad.com
Message Hash: 3b87f1b8429651322d6c6a2226245330235a54a0f4f825b36a49edd50e98f15c
Message ID: <199701140755.CAA04514@mail.intercon.com>
Reply To: N/A
UTC Datetime: 1997-01-14 07:55:36 UTC
Raw Date: Mon, 13 Jan 1997 23:55:36 -0800 (PST)
From: amanda@intercon.com (Amanda Walker)
Date: Mon, 13 Jan 1997 23:55:36 -0800 (PST)
To: cypherpunks@toad.com
Subject: Hi again, and an invitation to kibitz
Message-ID: <199701140755.CAA04514@mail.intercon.com>
MIME-Version: 1.0
Content-Type: text/plain
Hello folks,
A couple of years ago I signed off of cypherpunks in annoyance at what I
thought was a high "fluff" level, and said I'm sign back on when I had
crypto software to talk about. Well, I do and so I have :).
Last week at MacWorld Expo, we announced a new product designed to provide a
secure AppleTalk tunnel over the Internet; we'll be doing a public beta in
a few weeks, and expect to be shipping relatively soon after that, assuming
that the public beta goes well.
The initial version is moderately secure (that is to say, I believe that
the most effective attacks to be DES key search and a dictionary attack on the
user's pass phrase). I'm interested in comments on weaknesses aside from the
use of 56-bit DES; I'm profiling DES-EDE and if it's fast enough we'll be
switching to that.
Here's a sketch of the protocol:
(a) Server sends 8-byte challenge to client
(b) Client sends Microsoft NT authentication response to the server
(take the password in Unicode form, do an MD4 hash, pad with 0s to 21
bytes, split into 3 7-byte groups, use these as DES keys to encrypt
the challenge three times, send the 24-byte result as the response).
(c) If authentication fails, close the connection.
(d) If authentication succeeds, all subsequent traffic is enccrypted with
DES in CFB mode. Until April :), the DES key used is taken from the
first 7 bytes of the MD4 hash of the password (after April, we expect
to switch to Diffie-Hellman key exchange first, followed by a revised
authentication handshake).
I have not been able to find any obvious weak points, even if MD4 is weak,
since the digest is not put on the wire--recovering the digest would require
recovering a DES key given a single known plaintext/ciphertext pair.
I would be very interested in
any weak points anyone can identify (particularly with step b, since that
would have repercussions beyond this little piece of software).
I would also be interested in the effects on anyone's analysis given the
following modifications:
- Using SHA (160 bit hash) instead of MD4
- Using DES-EDE (112 bit key) instead of DES
- Using Blowfish in CFB mode instead of DES
- Using RC5 in CFB mode instead of DES (not likely unless RC5 is cheap)
- Using RC4 (40 bit key) instead of DES (not likely)
Comments? Catcalls :) ?
Amanda Walker
Senior Software Engineer
InterCon Systems Corporation
Return to January 1997
Return to ““Mark M.” <markm@voicenet.com>”