Microsoft Security Bulletin (MS99-056): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS99-056 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. A utility that provides protection against offline password cracking attacks has a cryptographic error that significantly weakens it, and the patch restores it to its designed strength. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability means that the additional protection provided against offline password cracking attacks offered by the Syskey utility is much less than previously believed. However, it does not change any of the other factors associated with such an attack. An attacker would still need to be able to obtain the hashed password database.
What is Syskey?
Syskey is a utility intended to prevent offline password cracking attacks against the Security Account Manager (SAM) database in Windows NT systems.
What is an offline password cracking attack?
Password cracking is a means by which a malicious user tries to determine another user's password. Because passwords are critical security information, they are generally protected cryptographically. Password cracking seeks to penetrate the cryptographic protection and recover the password.
Offline password cracking is used if the strength of the cryptographic protection too high to allow the attacker to crack the password in real time. In an offline attack, the attacker captures a copy of the cryptographically-protected password and attacks it exhaustively over time, on a machine that he or she controls.
What is the SAM database?
The Security Account Manager (SAM) database is the storage point for user passwords in Windows NT. The passwords are stored in a hashed form in the database. Hashing is a cryptographic process that generates a unique "fingerprint" from a piece of data. Hash functions are one-way functions, so even if a malicious user learned the hashed values of another user's password, he or she could not "unhash" it to learn the password itself.
However, if a malicious user gained access to the SAM database, he or she could conduct an offline password cracking attack. He or she could copy it to another machine, then exhaustively generate every possible password, hash it, and compare the result to the hashes in the database. For example, if the hash of "XYZ" matched one of the values in the database, the malicious user would know that the password for that user was "XYZ". There are tools available to mount such an attack, once a copy of the SAM database has been obtained.
How does Syskey protect against offline password cracking attacks?
Syskey is designed to prevent password cracking attacks by encrypting the SAM database using 128-bit cryptography. To defeat such a system, an attacker would need to first crack the Syskey encryption, then conduct a password cracking attack against the now-decrypted SAM database. However, the number of possible decryption keys for Syskey is so large that it should, in theory, make such an attack computationally infeasible.
What is the vulnerability?
A flaw in the implementation of Syskey provides a means of removing the Syskey encryption without performing a brute-force attack described above. Syskey reuses keystream-the output of the cryptoalgorithm-when encrypting certain values in the database. This provides an opening for a particular cryptanalytic attack that significantly reduces the strength of the protection that Syskey provides.
How did the vulnerability happen?
The need to avoid reusing keystream is well-known among cryptographers, and, by design, Syskey was intended to use unique keystream for all data. The key to generating unique keystream is to provide the cryptoalgorithm with unique initialization data for each value. However, a flaw elsewhere in the code has the effect of providing repeated initialization data which, when used to initialize the cryptoalgorithm, results in identical keystream being generated.
How much does the vulnerability weaken the protection?
By design, Syskey is intended to increase the work factor associated with a brute force attack by so many orders of the magnitude that it becomes infeasible. The vulnerability means that, if the proper cryptanalytic attack were mounted, a Syskey-protected SAM database would require only several times more work to crack than an unprotected one. The patch returns the protection to its stronger state by eliminating the key reuse.
Does the vulnerability mean that people have been cracking my system's passwords?
No. Syskey is just one link in the overall protection of the password data. Before a user could conduct an offline password attack, he or she would need to first obtain a copy the SAM database. Normal security precautions, such as restricting who can interactively log onto critical servers, properly safeguarding backup tapes, etc, are the best protection against this. If a malicious user can't obtain a copy of your SAM database, they can't mount an attack against it.
Does this vulnerability affect Windows 2000?
No.
What does the patch do?
The patch has two effects. First, it corrects the cryptography to ensure that keystream is never reused. Second, it re-encrypts the SAM database to remove the effect of the vulnerability on existing data.
What do I need to do in order for the patch to take effect?
Just apply the patch to any machine on which Syskey has been installed, then reboot the machine. The patch will re-encrypt the SAM and other information, and eliminate the vulnerability.
I haven't used Syskey on my machines, but would like to. Is there a new version of Syskey?
The Syskey executable has not changed. All of the behavioral changes in Syskey are effected via the patch. You can either run Syskey and then apply the patch, or apply the patch and then run Syskey.
I've already used Syskey on my machines. Do I need to "back out" the previous encryption before using the patch?
No. All you need to do is apply the patch and reboot the machine. The patch will re-encrypt the SAM database the first time the machine boots, eliminating the vulnerability.
How long will it take for the patch to perform the re-encryption?
The specific time will depend on hardware speed, size of the database, and other factors. However, it generally takes only a matter of minutes. In our testing, we found that, on typical hardware, the encryption takes roughly a minute to for every 10,000 users' passwords. Thus, if you have 10,000 users on a typical Windows NT machine, the first reboot would take about a minute longer than usual.
If I upgrade from an affected service pack to another affected service pack, do I need to re-apply the patch?
No. For example, if you apply the patch atop SP4, then move to SP6, you do not need to re-apply the patch.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 248183 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
