http://www.nullsoft.com/free/waste/ - Overview http://www.nullsoft.com/free/waste/security.html - Security section http://www.nullsoft.com/free/waste/network.html - Network design http://slashdot.org/article.pl?sid=03/05/29/0140241&mode=thread&tid=126&tid=93 - Slashdot discusssion
Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E which does encrypted communications within small groups of people. It doesn't appear to have had outside analysis of its security yet, but they do invite it, and they say it needs some work. It's utterly baffling to me why people like this choose to design
Bill Stewart <bill.stewart@pobox.com> writes: their own thing rather than just using SSL. I've looked through their design documents and glanced at their code they don't provide any security features that SSL doesn't, and they appear to have made a number of questionable design decisions: (0) Their messages don't appear have any sequence numbers, making them potentially open to a wide variety of integrity attacks. They have some sort of guid but unless you intend to keep a record of all guids through a session (horrible) this is only a partial fix for replay and not a fix at all for removal. (1) They use MD5 instead of HMAC for message authentication. Scary. (2) They use the same encryption keys in both directions. At least they have the sense to run separate PCBC counters. However, based on the code it doesn't look like they reset the PCBC counters after a bad message is received so you may be able to mount a reflection attack. (3) They use Blowfish (why not AES?) in PCBC mode (huh?) I don't think it's worth much time analyzing this... Just one more case of NIH. -Ekr -- [Eric Rescorla ekr@rtfm.com] Web Log: http://www.rtfm.com/movabletype --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com