Nullsoft's WASTE communication system
Eric Rescorla
ekr at rtfm.com
Fri May 30 08:54:52 PDT 2003
Bill Stewart <bill.stewart at pobox.com> writes:
> http://www.nullsoft.com/free/waste/ - Overview
> http://www.nullsoft.com/free/waste/security.html - Security section
> http://www.nullsoft.com/free/waste/network.html - Network design
> http://slashdot.org/article.pl?sid=03/05/29/0140241&mode=thread&tid=126&tid=93
> - Slashdot discusssion
>
>
> Nullsoft, who did Winamp and Gnutella, just released a package called W A S T E
> which does encrypted communications within small groups of people.
> It doesn't appear to have had outside analysis of its security yet,
> but they do invite it, and they say it needs some work.
It's utterly baffling to me why people like this choose to design
their own thing rather than just using SSL. I've looked through their
design documents and glanced at their code they don't provide any
security features that SSL doesn't, and they appear to have made a
number of questionable design decisions:
(0) Their messages don't appear have any sequence numbers, making them
potentially open to a wide variety of integrity attacks. They have some sort
of guid but unless you intend to keep a record of all guids through
a session (horrible) this is only a partial fix for replay and
not a fix at all for removal.
(1) They use MD5 instead of HMAC for message authentication. Scary.
(2) They use the same encryption keys in both directions. At least
they have the sense to run separate PCBC counters. However,
based on the code it doesn't look like they reset the PCBC
counters after a bad message is received so you may be able to
mount a reflection attack.
(3) They use Blowfish (why not AES?) in PCBC mode (huh?)
I don't think it's worth much time analyzing this... Just one
more case of NIH.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
Web Log: http://www.rtfm.com/movabletype
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the Testlist
mailing list