Syskey Tool Reuses Keystream

ID: Q248183

The information in this article applies to:
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server, Enterprise Edition version 4.0

SYMPTOMS

A cryptographic error in the Syskey tool makes offline password attacks easier than previously believed. Syskey reuses keystream when encrypting certain elements in the Security Accounts Manager (SAM) database, making the tool vulnerable to an attack using a known cryptanalytic method. This vulnerability could allow offline password attacks to be mounted against a Syskey-protected SAM database.


CAUSE

Passwords in the SAM database are stored in hashed form to prevent a user who gains access to the database from reading the passwords. However, offline password attacks are still possible if an attacker obtains a copy of the database and is willing to devote the time needed to perform an exhaustive search of all possible passwords. The Syskey tool is designed to prevent such attacks by strongly encrypting the SAM database using 128-bit cryptography. However, a flaw in the implementation results in multiple database entries being encrypted with the same keystream. This renders the encryption susceptible to a known attack.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The following files are available for download from the Microsoft Download Center. Click the file names below to download the files:
Q248183.Exe for x86-based computers

Q248183.Exe for Alpha-based computers
The English version of this fix should have the following file attributes or later:

   Date      Time        Size      File name    Platform
   -----------------------------------------------------
   12/06/1999   06:52p   155,408   Lsasrv.dll   x86
   12/06/1999   06:53p   174,352   Samsrv.dll   x86

   12/06/1999   06:51p   253,712   Lsasrv.dll   Alpha
   12/06/1999   06:51p   290,064   Samsrv.dll   Alpha


STATUS

Microsoft has confirmed this to be a problem in Windows NT 4.0.


MORE INFORMATION

For additional information about the Syskey tool, click the article number below to view the article in the Microsoft Knowledge Base:

Q143475 Windows NT System Key Permits Strong Encryption of the SAM

Additional query words: cracking

Keywords : kbtool ntsecurity ntsp kbbug4.00 kbfix4.00
Version : winnt:4.0
Platform : winnt
Issue type : kbbug


Last Reviewed: December 16, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.