[ISN] Win95/98 Authentication Insecurity

From: mea culpa (jerichoat_private)
Date: Tue Jan 05 1999 - 14:16:05 PST

  • Next message: mea culpa: "[ISN] CFP: Crypto 99"

    Forwarded From: MJE <markat_private>
    January 5, 1999 - NTSD - Weld Pond of L0pht Heavy Industries released a
    security advisory last evening on Bugtraq that reveals insecurities
    discovered in the Windows 95 and Windows 98 challenge/response mechanism. 
      In summary, it was discovered that the operating systems reuse the
    challenge issued to a connecting user during the authentication phase, and
    if that user tries to reconnect during the following 15 minute window of
      As Weld states, "Reusing a challenge is a classic cryptographic
    mistake."  We have no word yet from Microsoft as to how they will address
    this discovery. 
    For more information, including the relevant links to the Lopht Advisory
    and Web site, please visit: 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:03 PDT