Hi again, and an invitation to kibitz

Amanda Walker amanda at intercon.com
Mon Jan 13 23:55:36 PST 1997


Hello folks,

A couple of years ago I signed off of cypherpunks in annoyance at what I
thought was a high "fluff" level, and said I'm sign back on when I had
crypto software to talk about.  Well, I do and so I have :).

Last week at MacWorld Expo, we announced a new product designed to provide a
secure AppleTalk tunnel over the Internet; we'll be doing a public beta in
a few weeks, and expect to be shipping relatively soon after that, assuming
that the public beta goes well.

The initial version is moderately secure (that is to say, I believe that
the most effective attacks to be DES key search and a dictionary attack on the
user's pass phrase).  I'm interested in comments on weaknesses aside from the
use of 56-bit DES; I'm profiling DES-EDE and if it's fast enough we'll be
switching to that.

Here's a sketch of the protocol:

(a) Server sends 8-byte challenge to client

(b) Client sends Microsoft NT authentication response to the server
    (take the password in Unicode form, do an MD4 hash, pad with 0s to 21
    bytes, split into 3 7-byte groups, use these as DES keys to encrypt
    the challenge three times, send the 24-byte result as the response).

(c) If authentication fails, close the connection.

(d) If authentication succeeds, all subsequent traffic is enccrypted with
    DES in CFB mode.  Until April :), the DES key used is taken from the
    first 7 bytes of the MD4 hash of the password (after April, we expect
    to switch to Diffie-Hellman key exchange first, followed by a revised
    authentication handshake).

I have not been able to find any obvious weak points, even if MD4 is weak,
since the digest is not put on the wire--recovering the digest would require
recovering a DES key given a single known plaintext/ciphertext pair.

I would be very interested in
any weak points anyone can identify (particularly with step b, since that
would have repercussions beyond this little piece of software).

I would also be interested in the effects on anyone's analysis given the
following modifications:

- Using SHA (160 bit hash) instead of MD4
- Using DES-EDE (112 bit key) instead of DES
- Using Blowfish in CFB mode instead of DES
- Using RC5 in CFB mode instead of DES (not likely unless RC5 is cheap)
- Using RC4 (40 bit key) instead of DES (not likely)


Comments?  Catcalls :) ?


Amanda Walker
Senior Software Engineer
InterCon Systems Corporation







More information about the cypherpunks-legacy mailing list