Press ReleaseNetscape Security Flaw: Technical Details
Please read the press release before you read this. First, we must emphasize that using a well known, strong encryption algorithm like DES, Blowfish or Twofish would have been trivial for Netscape to do. If this had been the case, we would not have bothered to cryptanalyze the algorithm since a few chosen plaintexts would suggested the existence of a strong encryption algorithm. An attacker would then be forced to reverse engineer the relevant portions of Netscape to uncover hidden key material. While not impossible, the amount of effort is much larger than the effort required to cryptanalyze a proprietary obscuring algorithm, especially when the proprietary algorithm is incredibly weak like Netscape's is. We think the password protection bar should be raised significantly. Though there is no perfect solution, a good solution is much better than a bad one. Avi Rubin, ATT Labs security expert, put it best when he said that Netscape needs run out and get a bar so they can raise it. Modern cryptographic algorithms need to be able to withstand massive parallel brute force attacks, statistical attacks, and sophisticated mathematical analysis methods. The algorithm used in Netscape was broken by two people working for eight hours, without any automation and with very minimal computer assistance. Carefully chosen passwords were entered, and the results were examined in a standard scientific black box approach. The analysts started by figuring out one character passwords, then used that information to figure out how two character passwords were encrypted, and so on (after three letters, a really obvious pattern emerges). There is no excuse for weak cryptography in this case. Recovering a password from a client machine should not be so trivial. According to the Wall Street Journal, Chris Saito, the senior director for product management at Netscape, said that the bad obscuring algorithm exists so that "computer experts could still access the information, in case someone forgot their password." In this case, "experts" potentially includes hackers, bad guys, cleaning people, and anyone else who wants to recover the password. In the case of a forgotten password, a user should turn to the mail server administrator, not the client machine to solve the problem. In order to demonstrate the weakness of the Netscape algorithm, the components are listed here. The complete algorithm is not given, in order to avoid helping those who might wish to exploit this flaw by simply pressing return (ankle biters, that is). However, since the algorithm was already successfully cryptanalyzed in only a matter of hours, nothing can be done to prevent someone else from doing the same thing, regardless of what information is disclosed or withheld. The components of the algorithm are:
Nothing else is involved. After only a few passwords were tried, the analysts already knew the algorithm was weak and would be breakable; a complete break was only a matter of time and effort. Small changes to the password cause just a few characters in the encrypted text. Exactly which characters change, and how they change, gives clues as to how the underlying algorithm works. We still do not know where in Netscape the passwords are encrypted or exactly what the function looks like. In fact, it would take significantly more time and effort just to find the function in such a large program, and after that, we would still need to analyze it. But we do think we know exactly how the function works. So we wrote a program to simulate it that gives correct output for passwords from 1 to 33 characters in length. Here is a screenshot of our working exploit in action: 
Contact: |