SysKey Keystream Reuse

Reported December 16, 1999 by
BindView
VERSIONS AFFECTED
Windows NT Workstation 4.0
  • Windows NT Server 4.0
  • Windows NT Server 4.0, Enterprise Edition
  • Windows NT Server 4.0, Terminal Server Edition
  • DESCRIPTION

    The SysKey technology, which made it"s first appearance within Service Pack 4, is vulnerable to because the RC4 key is reused. This is basically the same problem that was discovered in Microsoft"s PPTP implementation quite some time ago.

    According to Microsoft"s report, "The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and
    restores strong protection to the password database.

    Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.

    A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied."

    VENDOR RESPONSE

    Microsoft is aware of this issue adn has released a FAQ, Support Online article Q248183, and patches for Intel and Alpha platforms

    CREDITS
    Discovered by
    Todd Sabin