SysKey KeyStream Reuse - 16 Dec 1999

SysKey Keystream Reuse

Reported December 16, 1999 by

Windows NT Workstation 4.0
  • Windows NT Server 4.0
  • Windows NT Server 4.0, Enterprise Edition
  • Windows NT Server 4.0, Terminal Server Edition

    The SysKey technology, which made it"s first appearance within Service Pack 4, is vulnerable to because the RC4 key is reused. This is basically the same problem that was discovered in Microsoft"s PPTP implementation quite some time ago.

    According to Microsoft"s report, "The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and
    restores strong protection to the password database.

    Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.

    A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied."


    Microsoft is aware of this issue adn has released a FAQ, Support Online article Q248183, and patches for Intel and Alpha platforms

    Discovered by
    Todd Sabin

    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.