""The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes.""
"While RC4 has known cipher weaknesses that make it insecure, Kerberoasting exploits a separate weakness. As implemented in Active Directory authentication, it uses no cryptographic salt and a single round of the MD4 hashing function. Salt is a technique that adds random input to each password before it is hashed. That requires hackers to invest considerable time and resources into cracking the hash. MD4, meanwhile, is a fast algorithm that requires modest resources."
Microsoft worked steadily over more than a decade to deprecate RC4 but faced significant challenges due to compatibility and algorithm-selection rules accumulated over twenty years of code changes. RC4 had been present across operating systems for 25 years and served as a long-time default, making removal difficult. Developers found numerous critical RC4 vulnerabilities that required surgical fixes, delaying deprecation. Microsoft introduced minor improvements favoring AES, which reduced RC4 usage by orders of magnitude to nearly nil and allowed safer removal. Separately, Active Directory authentication uses no cryptographic salt and a single-round MD4 hash, making Kerberoasting feasible because MD4 is fast and easier to crack than iterated AES-SHA1-based hashing.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]