DragonFly users List (threaded) for 2005-09
[OT] Micro$oft versus security
I just got this item from SANS, and I still can't quite believe
what my eyes are seeing:
--Microsoft Bans Weak Crypto in New Code
(15 September 2005)
A new policy at Microsoft bans developers from using functions using the
DES, MD4, MD5 and in some cases the SHA1 encryption algorithms in their
code because increasingly sophisticated cyber attacks are threatening
the security of these algorithms. Microsoft recommends the use of the
(Secure Hash Algorithm) SHA256 encryption algorithm and (Advanced
Encryption Standard) AES cipher. The decision comes as part of
Microsoft's twice-a-year update to its Secure Development Lifecycle
policies. The company also hopes eventually to remove the vulnerable
encryption from older code.
[Editor's Note (Schultz): Microsoft deserves a proverbial round of
applause for its decision concerning use of cryptography in its
(Schneier): This will improve potential security for their products at
the cost of backwards compatibility -- I call that a good trade-off.]
I have Schneier's second edition of Applied Cryptography (which is
where I learned what little I know about the subject) and he does a
good imitation of someone who really knows the subject.
I can cite decades of bad (or ridiculous) decisions by M$ concerning
anything to do with security -- but seeing Schneier's name attached to
this article makes me wonder if things have changed...
Anyone here agree that MD5 and SHA1 are 'weak' crypto? Any other
thoughts about the subject?