SysKey KeyStream Reuse - 16 Dec 1999

 
SysKey Keystream Reuse
Reported December 16, 1999 by BindView

DESCRIPTION

The SysKey technology, which made it"s first appearance within Service Pack 4, is vulnerable to because the RC4 key is reused. This is basically the same problem that was discovered in Microsoft"s PPTP implementation quite some time ago.

According to Microsoft"s report, "The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and
restores strong protection to the password database.

Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.

A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied."

VENDOR RESPONSE

Microsoft is aware of this issue adn has released a FAQ, Support Online article Q248183, and patches for Intel and Alpha platforms

CREDITS
Discovered by Todd Sabin