Bill Stewart <[EMAIL PROTECTED]> writes:
> http://www.nullsoft.com/free/waste/ - Overview
> http://www.nullsoft.com/free/waste/security.html - Security section
> http://www.nullsoft.com/free/waste/network.html - Network design
> http://slashdot.org/article.pl?sid=03/05/29/0140241&mode=thread&tid=126&tid=93
> - Slashdot discusssion
>
>
> Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E
> which does encrypted communications within small groups of people.
> It doesn't appear to have had outside analysis of its security yet,
> but they do invite it, and they say it needs some work.
It's utterly baffling to me why people like this choose to design
their own thing rather than just using SSL. I've looked through their
design documents and glanced at their code they don't provide any
security features that SSL doesn't, and they appear to have made a
number of questionable design decisions:
(0) Their messages don't appear have any sequence numbers, making them
potentially open to a wide variety of integrity attacks. They have some sort
of guid but unless you intend to keep a record of all guids through
a session (horrible) this is only a partial fix for replay and
not a fix at all for removal.
(1) They use MD5 instead of HMAC for message authentication. Scary.
(2) They use the same encryption keys in both directions. At least
they have the sense to run separate PCBC counters. However,
based on the code it doesn't look like they reset the PCBC
counters after a bad message is received so you may be able to
mount a reflection attack.
(3) They use Blowfish (why not AES?) in PCBC mode (huh?)
I don't think it's worth much time analyzing this... Just one
more case of NIH.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]
Web Log: http://www.rtfm.com/movabletype
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
