[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: M$ CryptoAPI Question
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 18 Mar 1996 00:02:16 -0800 (PST), Rich Graves
<[email protected]> wrote:
>On Sun, 17 Mar 1996 [email protected] wrote:
>
>> At 06:27 PM 3/17/96 EST, Dr. Dimitri Vulis wrote:
>> > I wonder if it's worth it to crack their approval mechanism so we can
>> > add our own crypto subsystems without asking Microsoft's approval.
>[...]
>> Wait until Microsoft makes some oppressive decisions,
>> or is compelled to make some oppressive decisions.]
>>
>> I do not expect that any cracking will be needed. Microsoft
>> will approve a freeware module for use in America, and then,
>> alas alas, someone will leak it.
>
>If the only goal is to allow international strong crypto using the
>CryptoAPI, then I agree with the above. However, exploring the CryptoAPI
>internals now, while there is still a possibility that they can be
>changed, is a productive undertaking to the extent that it exposes holes.
Exploration of the internals are critical for any crypto
implementation. Unfortunately, this is beyond the scope of my skills,
and requires me to rely upon the talents of you guys, ( Thanks! :)
Of some relevance: (not intended to branch off topic)
I work at a large corporation who has a strong relationship with MS.
We had a MS Internet Architecture guru in here trying to sell us on an
NT Internet server solution as opposed to Sun which we use now.
We expressed our concerns about the security of NT versus Unix in
regards to hackability, to which he responded.
(paraprhased)
NT is more secure than Unix since NT is newer, few people know anthing
about it, where Unix has known, documented holes in security.
(Albeit plugged ones. ed.)
With this *security through obscurity* outlook, I think exploration is
definatley in order.
>If the good guys can find a way to plug an unapproved international
>strong-crypto module into the CryptoAPI, then the bad guys can find a way
>plug in a no-crypto virus or trojan horse.
Now that's a scary thought! I need to look further into how they
implement authentication of CSPs.
>
>[email protected]
> http://www.c2.org/hackmsoft/ and other cool stuff
>
- --Bob
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMU2b4O2vJ3dNshwFAQGfKwP+KJWP8m+dtJd+gc71PZ67ABTbZZUw7MOi
BX24B89CQ67eldprcbXdnmxDDnLX25bBDee3EWEy5HTuJD1V9psXBU7VqkaEWnPE
MhBGT2puaZIpGZUq222VdMrdToRsclM4wen6rnoYo8f/PsWWZR2BANCQu20BG0ZR
fgQW2bcIsdM=
=wihe
-----END PGP SIGNATURE-----