On 30/10/2007, Matthew Somerville <[EMAIL PROTECTED]> wrote:
> Well, you'll be glad to hear that Windows DRM uses the non-proprietary
> elliptic curve, DES, RC4 and SHA1, then?
Can you point me to the open standard for Windows DRM then, so that I
might perform a security analysis? As we all know simple using good
cryptography doesn't mean the format is secure does it? Even without
the flaw in RC4 WEP is still insecure due to the way in which the key
stream cypher was used (resuse of the stream, CRC as only checksum
etc.)
Also DES is generally considered insecure, you might want to use AES
or Tripple DES.
RC4 has flaws in it as well.
SHA1 has weakness as well doesn't it?
How is SHA1 used, it's a one way hash, is this hash then signed to
protect message integrity? Who generates such a key and where is the
public key held (assuming an Asymmetric technique)? How is the public
key protected from tampering?
Can you point me to the standard for the Elliptical curve cryptography
that is used?
I also fail to understand why Open Source is less secure than
proprietary code, purely because you can "see the source". I forget
who's law it is but isn't there a law that states: "The Attacker
already knows the algorithm"?
Most decent security schemes that need to use such algorithms use
keyed algorithms. The algorithm is released publicly. The key is kept
secret. This has the advantage in that your securing less data and
that if the worst happens you can change the key quickly. It also adds
the advantage that everyone can use the same algorithm just with
different keys. Thus you only need one strong public algorithm instead
of a secret one for every party trying to communicate.
An algorithm is just a sequence of instructions. If these instructions
are human readable then the algorithm is revealed. An algorithm
written in any language still does the same and is compromised
regardless of which language revealed the information. (Rather like
having a secret document written in French and English, it doesn't
matter which the attacker gets the information in both is revealed as
it was the same).
So if I can get a copy of the Assembly source to Windows DRM the
algorithm is revealed. And therefore is no more secure than Open
Source and the claims made in the interview are entirely false, (or
even fraudulent).
So here is some proof:
Windows DRM is contained in WMP. This is distributed as a binary. A
binary is a list of instructions. 1 assembly instruction is translated
to 1 binary instruction (comments are not part of the algorithm and so
are ignored). 2 different inputs are never mapped to same outputs
based on position. This is therefore a simple substitution cypher.
These can be cracked using statistical methods.
Worse than that however the key (the mapping from Assembler to Binary)
is not secret. It is used by compiler writers.
Would Ashley mind justifying his claim that Open Source code is less
secure because Proprietary code is protected by a Substitution cypher
with a publicly available secret key?
This provides no measure of security, so what is the real reason an
Open DRM specification was not used? And try not to lie this time!
Andy.
--
Computers are like air conditioners. Both stop working, if you open windows.
-- Adam Heath
-
Sent via the backstage.bbc.co.uk discussion group. To unsubscribe, please
visit http://backstage.bbc.co.uk/archives/2005/01/mailing_list.html.
Unofficial list archive: http://www.mail-archive.com/[email protected]/
