Even companies as well resourced as Microsoft made these mistakes well into the 2000s. Remember when they used plain old AES to encrypt the Viewstate for ASP.Net? It was vulnerable to padding oracle attacks: https://en.wikipedia.org/wiki/Padding_oracle_attack#Attacks_...

Cryptography is such an esoteric and deep field that it's easy for a fairly smart but inexperience engineer to misjudge the security of a particular implementation or usage of a cryptographic primitive.

> Even companies as well resourced as Microsoft made these mistakes well into the 2000s.

Indeed! As I just wrote in another comment on this page, Microsoft Outlook 2003 used CRC32 to "hash" the personal folder (.PST) passwords. Since CRC32 isn't a cryptographic hash, it was trivial to generate a collision and access someone else's Outlook personal folder. This flaw persisted until at least 2006! More details here: <https://www.nirsoft.net/articles/pst_password_bug.html>.

I guess the thing about these examples is that cryptography can "visibly work" while being broken. The vast majority of people looking at the product will observe it to work "fine", in that nothing blows up.

The cryptography discussed in the article is probably more aptly titled 1980s microcomputers-oriented cryptography. QText was first released in 1988. I'm not sure when they first added supported for passcode-protected files, but the version show in the article was released in 1992. This is before the spread of the early internet, before RC4 was leaked, before MD5 and HMAC were released and probably before even MD4 became widespread.

I admit I was too young to be well-versed in cryptography back then, but as far as I can tell the only well-known cryptographic algorithms that I can think of during the late 1980s were RSA and DES, maybe also ElGamal? I'm not aware of any cryptographic hash function which predates MD2. There must have been some, but I don't know of any of them really caught on.

Looking at PC software from the early 1980s up to the early 1990s, most of the software used 100% in-house roll-your-own-crypto. DES and RSA were initially too slow for microcomputers and even when processing power increased, they were not so trivial to implement yourself and there weren't widely available in libraries until the mid 1990s.

So what you eventually got in this period was mostly ad-hoc algorithms that did very rudimentary encryption and were only as good as the author's imagination. If you were particularly unlucky, they wouldn't be much better than a glorified monoalphabetic cipher. This seems to be the case in QText as well. At least the key derivation function seems to be completely in-house and as the paper has demonstrated (and as you'd fully expect from an in-house algorithm), it has weaknesses that make MD4 seem secure.

I think PGP (first released in 1991) is where we can see the trend start shifting into composing more-or-less standard algorithms using insecure in-house constructions. The first version of PGP used an in-house symmetric cipher called Bass-O-Matic (together with RSA and MD4), but PGP 2.0 replaced that cipher with IDEA[1]. It seems like in the beginning even the RSA signature format was non-standard, and PGP switched to a PKCS #1-based format only in version 2.3[2].

This where you start seeing all the famous 1990s schemes that go horribly wrong at misusing IVs or performing key derivation with a single-iteration of unsalted hash. But 80s crypto is even worse.

[1] http://www.cypherspace.org/adam/timeline/

[2] https://www.rfc-editor.org/rfc/rfc1991.html

90's crypto exists today, NTLMv2 auth used by SMB is something like HMAC-MD5(MD4(password)).

I mean, they were implementing straight out of Applied Cryptography. How good a job could they possibly have done?

A fun thing to look at today is `deslogin`, the predecessor to SSH.