6 September 1999. Link to Brian Gladman's earlier critique of MSNSA
4 September 1999. Add Bruce Schneier disparagement of NSA key. Add Peter Wayner on 3rd key.
Thanks to BT.
Source:
http://www.nytimes.com/library/tech/99/09/biztech/articles/04soft.html
The New York Times, September 4, 1999
By JOHN MARKOFF
SAN FRANCISCO -- A cryptographer for a Canadian software firm, dissecting a piece of Microsoft security software, made an unexpected find: an element in the Windows operating system labeled "NSAKey."
When his discovery was made known on his company's Web site Friday, it set off a firestorm of Orwellian visions in Internet discussion groups.
Was the buried software component, as the cryptographer surmised, a Trojan horse that gave the National Security Agency a hidden back door into the world's computers? Or was it merely a Microsoft programmer's remarkably bad choice of language in a software system designed to protect electronic communications and commerce?
Microsoft executives insisted that there was no Big Brother feature in the software. "The big answer is that these charges are completely false," said Scott Culp, a security product manager at Microsoft.
And the National Security Agency, which gathers electronic signal intelligence worldwide and is responsible for the security of the Government's computers, issued a terse three-sentence news release distancing itself from the controversy, saying, "Questions about specific products should be addressed to the company."
Microsoft officials acknowledged that the episode was in any case a black eye for the world's largest software publisher.
"We're going to pay and pay and pay for this," said one of the company's security experts, who spoke on the grounds that he not be identified.
In recent months Microsoft has become a lightning rod for criticism of its products' security and has had to deal with several gaffes, including the discovery last week of a security flaw that exposed the e-mail of users of its Hotmail service.
The latest uproar was set off by Andrew Fernandes, a mathematician in Research Triangle Park, N.C., who is chief scientist of the Cryptonym Corporation, a small Canadian software firm that is developing computer security products.
Fernandes first presented his findings at a technical meeting last month in Southern California, but word did not spread more broadly until today, when a news release was posted on the Cryptonym Web site.
In a telephone interview, Fernandes said he had made his discovery while exploring and trying to replicate the security software in Microsoft's Windows and Windows NT operating systems.
The operating systems make use of a key -- a large number -- to authenticate software components, providing confidence that a component is correctly identified and has not been tampered with. For example, when new encryption functions are added for security, the key verifies that they comply with Government regulations.
Cryptographers had previously noted the existence of a second key whose use they could not account for. What Fernandes found in the program was an identifying tag, disguised in earlier versions. And the label was "NSAKey."
The discovery shocked him, Fernandes said, adding, "It doesn't make any sense why they would put in a second key."
He concluded that the key represented a serious security flaw that would leave Microsoft's operating system vulnerable to intrusion. "The result is that it is tremendously easier for the N.S.A. to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system," his news release asserted.
But at Microsoft, Culp said the key labeled NSAKey was a backup permitting Microsoft to authenticate encryption components if the first key was damaged. And he said the name was simply unfortunate.
Because the key insures compliance with Federal export laws, and the National Security Agency is the authority responsible for reviewing software and hardware products intended for foreign use, the component has been referred to colloquially at Microsoft as the "NSA key," he said. But Culp insisted that the key was not shared with any outside party, including the N.S.A.
"We protect it with dobermans and barbed wire," he said. "Conspiracy theorists are worked up about this, but real life is more boring."
Security and privacy experts were generally skeptical about the notion that Microsoft was cooperating with the nation's electronic intelligence agency.
Microsoft has vocally opposed proposals by law-enforcement and intelligence agencies that would give them electronic back doors to monitor computer data.
Some security experts said that even if there was no sinister explanation for the NSAKey, Microsoft should not add components to its security software system without publicly identifying them.
"They've debased their currency once again by not disclosing this," said Mark Seiden, chief consultant for the information security group Kroll-Ogara.
Microsoft executives said there had been no reason to publicize the backup key. "It was not something that anyone had expressed any interest in," Culp said.
And in any case, the Big Brother that Fernandes said he had discovered turned out to have an Achilles heel. He said he had been able to develop a small program that strips out the second key.
Date: Sat, 4 Sep 1999 16:30:46 -0400 From: Peter Wayner <pcw2@FLYZONE.COM> Subject: Re: Microsoft, NSA, etc. [third key] To: CYBERIA-L@LISTSERV.AOL.COM > > > > I doubt they looked at the code if they indeed mandated it. > >So who's is the third key in W2K? Bill Gates? The third key is supposedly only temporary. They put it in during debugging to avoid using the main keys, but they'll remove it when they ship the final version. I wanted to get this in my article today, but time prevented it. Sigh.
Source: http://www.nytimes.com/library/tech/99/09/cyber/articles/04soft-side.html
The New York Times, September 4, 1999
By PETER WAYNER
W hen a group of foreign programmers examining the inside of Microsoft's Windows operating system discovered an undocumented hole in the security software they immediately began wondering if it was put there for the United States government's intelligence gathering branch, the National Security Agency. This was not a difficult leap for them to make because the hole came with a cryptic label "_NSAKEY" attached to it.
Andrew Fernandes, a programmer for the Ontario-based company Cryptonym, found the label after following up on the work of an English cryptographic expert, Nicko van Someren. He posted a news release describing his discovery on his company's Web site earlier in the week.
To many who read the release, a link between NSA and the label was understandable, considering that the agency's main job is supporting the Executive Branch and the Department of Defense by gathering electronic intelligence.
The news of the discovery spread quickly over the Internet, where people lapped up the accusation that two of the great leviathans at the center of many digital-age conspiracy theories were caught with such a tight connection. While many doubted that a simple label with a suspicious-sounding name could be proof of any serious link, others assumed the worst.
While there is no immediate danger of information being compromised, it added to the distrust in Microsoft's security prowess, Last week, the Web was aflame with news of the discovery of a serious hole in Hotmail, the company's free Web-based e-mail service.
For the record, Scott Culp, manager of security at Microsoft says that the NSA had no control over the hole in the software.
The bigger and more difficult set of questions is what the hole is doing in Windows, whether it is really fair to consider it a hole, and why it was put there in the first place.
Culp said that the so-called hole is really a feature designed to increase reliability and add a backup in case a powerful natural disaster destroyed Microsoft's buildings, and with them the company's ability to document its Windows software. It was only named "_NSAKEY" because the NSA was responsible for checking Microsoft's implementation of computer security.
The hole is really part of Microsoft's Crypto API (CAPI), a system built into Windows for providing encryption tools to other software packages. API stands for "Application Programmer's Interface," a technique used by programmers to coordinate their work in much the same way that the blueprints let an architect and a team of builders coordinate their work.
The CAPI lets programmers who know nothing about codes add security to their software, allowing that software to run on computers using the Windows operating system. A Web site, for instance, may ask the CAPI to scramble a credit card number before transmitting it over the Internet. A piece of software storing medical records could use the same CAPI to add privacy.
Ordinarily, APIs are arcane tools that are designed and read only by programmers. Cryptography, however, is a more sensitive matter because the U.S. government treats such software for encoding and decoding messages as munitions that might give a foreign power an edge in a war. Therefore, the government prohibits the export of encryption software.
The United States has gained significant advantages over its enemies in recent wars by breaking their codes, and the Defense Department would not like to lose this advantage over foreign powers. In addition, the Federal Bureau of Investigation is worried that criminals, in the United States and overseas, may use unbreakable encryption to defy investigators looking for evidence.
When Microsoft decided it wanted to add encryption features to Windows, it needed to balance the demands of people like doctors asking for ways to protect their patient's records with the demands of the government's regulatory apparatus seeking to preserve their eavesdropping ability.
Microsoft's solution was to ship no encryption features with Windows itself, but build a generic system that allowed all users to load their own encryption software modules. Ordinarily, the U.S. government even objects to the existence of systems like the CAPI, which are also known as "software hooks," where someone might attach encryption software. The government believes that even the existence of something like the CAPI would make it easier for foreigners to scramble the data with Microsoft Windows.
To solve these objections, Microsoft designed the CAPI mechanism to check all modules to see if they bore a special digital signature. The CAPI uses digital signatures to check out the provenance of the modules that might be installed. Anyone who wants to add scrambling abilities to their copy of Windows must first apply to Microsoft and get approval after promising never to export the software and violate U.S. law. When all of the forms are filled out, Microsoft gives its approval by applying a digital signature to the encryption module.
Digital signatures are verified by using public keys, long numbers that are generated by a complicated mathematical technique. These keys act like the equivalent of a driver's license or a signature card kept on file at a bank. Each copy of Windows keeps a set of public keys and uses them to insure that the digital signatures were, in fact, created by Microsoft.
When the CAPI comes across a new encryption module, it checks the digital signatures with a public key. If the mathematics work out, Windows approves the module and allows the user to encode and decode information at will.
This solution allowed Microsoft to bundle in features for cryptography while shipping the same version of Windows throughout the world. Ideally, only people in the United States would get high-quality protection because Microsoft would add digital signatures only to software that was not going to leave the United States.
This much was known publicly since Microsoft introduced the CAPI. Last year, van Someren, a scientist at the English company nCipher, discovered that there were really two public keys, or signature cards, inside Windows. That meant two entities could create digital signatures. One was definitely Microsoft, but no one knew the identity of the other.
This summer, Fernandes discovered that Microsoft had inadvertently left some debugging information bound into the latest version of some software patches for Windows NT. Patches are new pieces of software that fix problems with previously released software. Programmers attach name tags to different pieces of data and use these tags to help find bugs, but they usually strip out the name tags to save space and avoid releasing competitive information. Fernandes discovered that the debugging name tags had not been stripped away and the first key came with the name "_KEY". The second key came with the tag "_NSAKEY". Fernandes also discovered that the new beta versions of Windows 2000 came with three keys.
Culp said that while the two keys do give two entities the ability to certify encryption modules, there is no reason to fear that the NSA controls one. Microsoft controls both so they would have a backup, he said.
Matt Blaze, a security expert for AT&T, said that this argument makes sense if Microsoft stores its copies of the key in tamperproof hardware. These devices are designed to resist attacks by erasing the key. "If you're doing that, and your hardware gets destroyed by an earthquake or a fire, then you would never get that key back," he said in a telephone interview. The box would assume that the earthquake or lightening storm was really an attacker trying to get at the key. It would immediately forget it as a defense.
Culp says that both keys are kept in tamperproof boxes behind barbed wire in separate parts of the country, but he would not say where.
Still, Microsoft's explanations have not quieted the speculation on the Internet. Most critics are still worried about the possibility that the technique would allow whoever holds this second key to slip broken encryption software onto someone's computer. The Clinton Administration is currently lobbying Congress to get permission to do just this with suspected gangsters and drug runners. A slightly broken encryption mechanism would allow them to surreptitiously decode the messages. Whoever holds the second key would have the power to create such a broken mechanism.
Bruce Schneier, a security expert at Counterpane Systems, dismissed this possibility. "There are much better ways of compromising security on a computer," he said.
But Schneier conceded that bugging the encryption module used by CAPI and simply eavesdropping on all communication would be a subtle attack that would be less likely to be detected.
Many point out that if this approach was taken by the NSA, it would not be the first time. The Baltimore Sun reported in 1995 that the NSA had secretly subverted the encryption hardware of a Swiss company, Crypto AG.
Still, Blaze said that the existence of two or three keys is not best explained by a secret government backdoor. "It would be much easier to convince Microsoft to tell them the secret key," he said.
The existence of both _KEY and _NSAKEY has also inadvertently introduced a loophole in the mechanism to reduce the proliferation of export control software. Van Someren originally began looking for the key in the hopes of replacing it with one of his own. He could not approach Microsoft and get them to validate his cryptographic software because he works in Britain.
If someone simply replaces _KEY, Windows will fail to start up because _KEY is used to validate other parts of the Windows security software. Replacing _NSAKEY, on the other hand, makes it possible for anyone outside the United States to use the CAPI without problems. Cryponym is currently distributing a program that demonstrates how to do this.
Today, van Someren uses the technique in Britain to experiment with building tools for Windows NT and insuring that his company, nCipher, can create software and hardware that works well with Microsoft's. The mechanism designed to enforce the export rules has failed because of the extra key.
Fernandes said, "Export control is effectively dead for Windows. "
Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.
Date: Sat, 04 Sep 1999 01:35:40 +0100
To: ukcrypto@maillist.ox.ac.uk
From: Duncan Campbell <duncan@gn.apc.org>
Subject: NSA key in Windows
Just put this out on Techweb at 7pm
A special prize to anyone who can find any CSP or application module anywhere that is signed by the NSA key.
And a decent prize for anyone who can write a plausible explanation of Microsoft's claim this evening that the NSAkey is really theirs and is used to ensure compliance with US export restrictions. Thats what the first key is for. Of course, maybe what they mean is that US export restrictions prohibited the export of the Windows CAPI unless NSA had a backdoor.
I look forward to the strand. :-))
DC
(09/03/99, 2:05 p.m. ET)
By Duncan Campbell, TechWeb
A careless mistake by Microsoft programmers has shown that special access codes for use by the U.S. National Security Agency (NSA) have been secretly built into all versions of the Windows operating system.
Computer-security specialists have been aware for two years that unusual features are contained inside a standard Windows driver used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions including the Microsoft Cryptographic API (MS-CAPI). In particular, it authenticates modules signed by Microsoft, letting them run without user intervention.
At last year's Crypto 98 conference, British cryptography specialist Nicko van Someren said he had disassembled the driver and found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with U.S. export regulations. But the reason for building in a second key, or who owned it, remained a mystery.
Now, a North Carolina security company has come up with conclusive evidence the second key belongs to the NSA. Like van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY." The other was called "NSAKEY."
Fernandez reported his re-discovery of the two CAPI keys, and their secret meaning, to the "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge.
But according to two witnesses attending the conference, even Microsoft's top crypto programmers were stunned to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. This discovery, by van Someren, was based on advance search methods which test and report on the "entropy" of programming code.
Within Microsoft, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.
No researchers have yet discovered a programming module which signs itself with the NSA key. Researchers are divided about whether it might be intended to let U.S. government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by the NSA's burgeoning corps of "information warriors."
"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude easier for the U.S. government to access your computer?"-- Andrew Fernandez, Cryptonym
According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onward.
"For non-American IT managers relying on WinNT to operate highly secure data centers, this find is worrying," he added. "The U.S government is currently making it as difficult as possible for 'strong' crypto to be used outside of the U.S. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers.
"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has installed a 'back door' for the NSA -- making it orders of magnitude easier for the U.S. government to access your computer?" he said.
Van Someren said he felt the primary purpose of the NSA key might be for legitimate U.S. government use. But he said there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy," he said on Friday.
Fernandez said he believed the NSA's built-in loophole could be turned round against the snoopers. The NSA key inside CAPI could be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorized third parties, unapproved by Microsoft or the NSA. This is exactly what the U.S. government has been trying to prevent.
A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website.
According to one leading U.S. cryptographer, the IT world should be thankful the subversion of Windows by NSA has come to light before the arrival of CPUs that handle encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPUs with encrypted instruction sets already been deployed, we would have never found out about NSAKEY," he said.
Date: Sat, 4 Sep 1999 10:00:11 -0400 To: cypherpunks@cyberpass.net, cryptography@c2.net From: Robert Hettinga <rah@shipwright.com> Subject: [PGP]: Bruce Schneier weighs in --- begin forwarded text From: "grt" <grt@wow.net> Organization: ... To: WINNT-L@PEACH.EASE.LSOFT.COM Date: Sat, 4 Sep 1999 09:24:02 -0400 CC: pgp-users@joshua.rivertown.net FYI > from: sci.crypt > subject: NSA and MS windows > A few months ago in my newsletter Crypto-Gram, I talked about > Microsoft's system for digitally signing cryptography suits that go > into its operating system. The point is that only approved crypto > suites can be used, which makes thing like export control easier. > Annoying as it is, this is the current marketplace. > > Microsoft has two keys, a primary and a spare. The Crypto-Gram > article talked about attacks based on the fact that a crypto suite > is considered signed if it is signed by EITHER key, and that there > is no mechanism for transitioning from the primary key to the > backup. It's stupid cryptography, but the sort of thing you'd > expect out of Microsoft. > > Suddenly there's a flurry of press activity because someone notices > that the second key is called "NSAKEY" in the code. Ah ha! The NSA > can sign crypto suites. They can use this ability to drop a > Trojaned crypto suite into your computers. Or so the conspiracy > theory goes. > > I don't buy it. > > First, if the NSA wanted to compromise Microsoft's Crypto API, it > would be much easier to either 1) convince MS to tell them the > secret key for MS's signature key, 2) get MS to sign an > NSA-compromised module, 3) install a module other than Crypto API to > break the encryption (no other modules need signatures). It's > always easier to break good encryption. > > Second, NSA doesn't need a key to compromise security in Windows. > Programs like Back Orifice can do it without any keys. Attacking > the Crypto API still requires that the victim run an executable > (even a Word macro) on his computer. If you can convince a victim > to run an untrusted macro, there are a zillion smarter ways to > compromise security. > > Third, why in the world would anyone call a secret NSA key "NSAKEY." > Lots of people have access to source code within Microsoft; a > conspiracy like this would only be known by a few people. Anyone > with a debugger could have found this "NSAKEY." If this is a covert > mechanism, it's not very covert. > > I see two possibilities. One, that the backup key is just as > Microsoft says, a backup key. It's called "NSAKEY" for some dumb > reason, and that's that. > > Two, that it is actually an NSA key. If the NSA is going to use > Microsoft products for classified traffic, they're going to install > their own cryptography. They're not going to want to show it to > anyone, not even Microsoft. They are going to want to sign their > own modules. So the backup key could also be an NSA internal key, > so that they could install strong cryptography on Microsoft products > for their own internal use. > > But it's not an NSA key so they can secretly install weak > cryptography on the unsuspecting masses. There are just too many > smarter things they can do to the unsuspecting masses. > > My original article: > http://www.counterpane.com/crypto-gram-9904.html#certificates > > Announcement: > http://www.cryptonym.com/hottopics/msft-nsa.html > > Nice analysis: > http://ntbugtraq.ntadvice.com/default.asp?sid=1pid=47&aid=52 > > Useful news article: > http://www.wired.com/news/news/technology/story/21577.html > ******************************************************************** > ** Bruce Schneier, President, Counterpane Systems Phone: > 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 > Fax: 612-823-1590 Free crypto newsletter. See: > http://www.counterpane.com
To: "cypherpunks@Algebra. COM" <cypherpunks@algebra.com>, "'Salz, Rich'" <SalzR@CertCo.com>, "Cryptography@C2. Net" <cryptography@c2.net>, bugtraq@securityfocus.com Date: Sat, 04 Sep 1999 11:41:02 +0100 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> Subject: Re: NSA key in MSFT Crypto API The actual funny story behind the presence of the NSA key has been seriously misunderstood here. CSP verification keys have only one *real* purpose: They are intended to enforce the US export restriction requirement that Microsoft is not allowed to ship software abroad that can easily be extended with strong cryptography. They are certainly not intended as any useful form of integrity protection for your system. The NSA got their own CSP verification key, because they want to be able to change their own secret US government CSPs required for the handling of classified documents, without having to go to Microsoft each time to get a signature for an NSA CSP update. Fair enough. So Microsoft built in a second verification key such that the NSA can produce and install on DoD PCs their own CSPs without requiring any Microsoft involvement. The real funny part is that Microsoft did not protect the NSA key particularly well, such that everyone can easily replace the NSA key easily with his own key. This was reported by Nicko van Someren at the Crypto'98 rump session. This means that everyone can now easily install his own CSPs with arbitrarily strong cryptography. This means that the NSA's demand to get quickly a second key added led in effect to the easy international availability of strong encryption CSPs. My guess is that this is Microsoft's sweet revenge against the NSA for creating all these Export hassles (e.g., the requirement that CSPs be signed) in the first place. It backfired nicely against the NSA. :) All this has nothing to do with an NSA backdoor, because the CSP keys are an export enforcement tool and not an integrity protection tool. They do not protect all parts of the system that could be compromised by someone who wants to install some eavesdropping malware. The CSP verification keys only authenticate that no cryptography that violates export laws has been installed. If you are worried about the NSA installing malicious software on your PC, you should not rely on the CSP verification keys (which were never designed for that purpose anyway), but on virus scanners with tripwire functionality that report any modifications to your DLLs. There is no digital signature functionality required to implement these, simple secure hash algorithms will perfectly do. Please apply a bit of simple critical thinking here: If the NSA wanted to have real backdoor functionality, they would much more likely simply steal Microsofts own keys instead of embedding additional keys with an obvious symbol name. Remember: The NSA is the world's largest key thief. They have stolen crypto variables from well-protected military and government agencies from all over the world using the usual repertoire of techniques (bribery, extortion, eavesdropping, hacking, infiltration, etc.). If they can do it with eastern military agencies, they can most certainly also do it easily with Microsoft, which is orders of magnitudes less well protected than the usual NSA target. If there is a real NSA backdoor key in Windows, that it would certainly be identical to Microsoft's own key. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
Date: Sat, 4 Sep 1999 03:00:20 +0200 (CEST) From: Anonymous <nobody@replay.com> Subject: Re: NSA key in MSFT Crypto API To: cypherpunks@cyberpass.net From personal archives, one full year ago: Date: Sat, 08 Aug 1998 11:29:09 +0100 > Thanks to Nicko van Someren: > Microsoft has already put the appropriate hack in CAPI for you. It > contains two public keys, the live one and one that's presumably a > backup. If you replace this backup key with your own key, then CAPI > will indeed accept signatures made by either. This second key has been known about for a year. The only new news is that it is called "_NSAKEY" in the debug symbols. But whether it is owned by the NSA or not, the ability to use the second key to get non Microsoft crypto modules loaded is old news. Also see this from Matt Blaze, which may help to quench the flames: [Snip Blaze message below]
Date: Fri, 03 Sep 1999 20:12:39 -0700 To: cypherpunks@cyberpass.net From: Greg Broiles <gbroiles@netbox.com> Subject: NSA key in Windows? news.com has an updated story at <http://www.news.com/News/Item/0,4,41277,00.html?st.ne.fd.mdh.ni> - the new information is: Richard Smith of Phar Lap says he's found the NSA key in software as far back as 1998; NSA faxed a statement to news.com saying that export control regs require that crypto API's must be signed. [NB: this requirement doesn't exist in the published crypto export regs at 15 CFR 740 et seq; perhaps it's one of their nondisclosed requirements.] Microsoft says that NSA reviewed the crypto architecture, including the "backup key", and it was approved by NSA; Microsoft says the "backup key" has always been present in the Crypto API; Microsoft says the third key in the Win2000 builds is a "test key" which won't be present in shipping versions of Win2000. -- Greg Broiles gbroiles@netbox.com PGP: 0x26E4488C
To: "Lucky Green" <shamrock@cypherpunks.to> Cc: "Cryptography@C2. Net" <cryptography@c2.net>, bugtraq@securityfocus.com Subject: Re: NSA key in MSFT Crypto API Date: Fri, 03 Sep 1999 15:48:07 -0400 From: Matt Blaze <mab@crypto.com> Here's what I said about this on another list: I must admit that this doesn't make much sense to me. I was at Crypto, but I must have missed the rump session talk in question (and it's entirely possible that the talk occurred anyway - I was out of the room for a good deal of that session). In any case, non-Crypto people should remember that the "rump session" consists of entirely entirely unreviewed talks each lasting about five minute. It is *not* a peer-refereed part of the Crypto conference, just a place for people to announce new or minor results. It is very easy to get a rump session slot, and people say bogus things at the rump session all the time. That said, I don't understand the point. If the NSA wanted Microsoft to quietly compromise the CAPI install mechanism (which is supposed to require Microsoft's digital signature on the installed module - thereby preventing the installation of non-US crypto and allowing CAPI OS's to be exported), it would be *much* easier to do any of the following: - Convince MS to tell them the secret key for MS's signature key - Get MS to sign an NSA-compromised module. - Install some module other than CAPI to compromise the OS (only CAPI modules require the signature). Regardless of the mechanism used, NSA still would still have to convince the owner of the computer in question to install the compromised module (perhaps by exploiting one of the other bugs in the OS, which is admittedly probably easy enough to do). Finally, assuming that MS has two public CAPI-install keys in windows, and someone discovered this, how would they know that one of the corresponding secret keys is held by NSA? From looking at the web page in question, it appears that the evidence consists entirely of the fact that one of the CAPI keys has an internal symbol name of "_NSAKEY". Since anyone with a debugger and a copy of an MS OS can find this symbol, if this is intended as some kind of covert mechanism, it's not very well hidden. -matt
From: "Lucky Green" <shamrock@cypherpunks.to> To: "Robert Hettinga" <rah@shipwright.com>, "Matt Blaze" <mab@crypto.com>, <cypherpunks@cyberpass.net> Cc: "Cryptography@C2. Net" <cryptography@c2.net> Subject: RE: NSA key in MSFT Crypto API Date: Fri, 3 Sep 1999 17:58:51 -0700 The NSA would be remiss in their task as US spy agency if it failed to ensure that there are multiple backdoors to the world's most widely used operating system. One would assume, there are backdoors even the vendor does not know about. After watching the NSAKEY talk at the Crypto rump session [name elided], by his own account at the time the person ultimately responsible for CAPI at Microsoft, told a group that even he had not know about the second key. In addition, he informed us that access to the Windows source code is heavily compartmentalized, making it easy to insert modifications without the knowledge of even the respective product managers. On thing I learned from my work on the GSM ciphers is that intelligence agencies will insert compromises at every step: key size, key generation, cryptographic algorithms, every single cryptographic component in GSM has been deliberately compromised. It therefore stands to reason that additional, so far undetected, backdoors exist in Microsoft's operating systems. --Lucky Green <shamrock@cypherpunks.to>
To: cypherpunks@cyberpass.net From: daw@cs.berkeley.edu (David Wagner) Subject: Re: A-M$: The Microsoft NSA Back Door. (fwd) Date: 3 Sep 1999 16:29:17 -0700 In article <Pine.LNX.4.10.9909032217220.5420-100000@zor.hut.fi>, Zombie Cow <waste@zor.hut.fi> wrote: > It turns out that every copy of Windows 95, 98, NT 4, and Windows 2000 > has a back door that makes it easy for the National Security Agency to > gain access to your computer. Sigh. I fear you are misinterpreting the discovery -- you might want to look closer at the technical details. I've been trying to urge caution to the reporters who've called me about it. This does NOT appear to be a case of the NSA installing a backdoor that lets them spy on Windows machines around the world. I should explain. To load a new crypto module into Windows, it must be signed with Microsoft's key; to get a signature from MS, you have to go through this whole rigamarole (export controls....). The discovery is that there's a second, mysterious, alternative key that can be used to load a crypto module into Windows. On one platform, MS folks forgot to strip out debugging symbols, and the key can be seen to bear the suggestive label "_NSAKEY". So, at worst, this is a backdoor that allows that NSA to manage their own computers more easily, without going through the rigamorole that the rest of us have to deal with. This is, IMHO, a lesser sin (albeit still an abuse of export controls, if true). Also, there is some question whether this key actually belongs to the NSA. One reporter I spoke to said she talked to Microsoft, and they claim that it is just a backup key (in case they lose the private key corresponding to the first one?), and is not a backdoor for the NSA. Their response is weasel worded carefully enough that I do not trust it 100%, but I'd urge everyone to check further with Microsoft before drawing any final conclusions. The discovery _does_ have some security implications: The discovery makes it easier to bypass the controls on loading new crypto modules. There seems to be some "software tamper-proofing" (heh) in place that causes Windows to crash if you try to alter the main Microsoft key, but you can alter the "_NSAKEY" without any difficulties. Thus, the next Melissa virus could incorporate code that changes the "_NSAKEY" and downloads a Trojaned crypto module into your machine. Ironically, the biggest impact of the "_NSAKEY" may be that it will make it easier to bypass Microsoft's export controls on crypto modules. In the future, third-party release of crypto modules may include code that, during the installation process, changes the "_NSAKEY" to authorize downloading of new strong crypto modules; this will make it possible for the first time for foreign crypto developers to write code that upgrades international versions of Windows to full-strength crypto.
Date: Fri, 3 Sep 1999 10:03:57 -0700 From: Greg Broiles <gbroiles@NETBOX.COM> Subject: Re: Warning about Installation of Software -- Don't be fooled by NSA To: CYBERIA-L@LISTSERV.AOL.COM I spoke with a friend last night who attended the rump session at Crypto, who confirmed that the talk was given. The existence of the second key was discovered by a crypto researcher who had the insight that looking inside the executable for areas of unusually high entropy might prove revealing - he found two such areas, each1024 bits long (exactly the length of the Crypto API public key), where the design of Crypto API would only have required one .. leading to further investigation and disassembly of the code. One approach to independent verification would be to repeat the initial investigation - look through the RSABASE.DLL file in your \WINDOWS\SYSTEM directory looking for relatively high-entropy sequences. A paper describing this technique is available at <http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf>, and C code purporting to implement that seach is available at <http://www.hedonism.demon.co.uk/paul/download/ncheck.c>. -- Greg Broiles gbroiles@netbox.com PGP: 0x26E4488C
From: "Lucky Green" <shamrock@cypherpunks.to> To: "cypherpunks@Algebra. COM" <cypherpunks@Algebra.COM> Cc: "Cryptography@C2. Net" <cryptography@c2.net>, <bugtraq@securityfocus.com> Date: Fri, 3 Sep 1999 00:21:01 -0700 Subject: NSA key in MSFT Crypto API Andrew Fernandes tonight published the results of his reverse engineering of Microsoft's Crypto API (CAPI). [This builds on work done by Nicko van Someren from nCipher]. Background: MSFT CAPI comes pre-installed with two keys used to check the validity of a Cryptographic Service Provider (CSP). The holder of either key can install operating system security services without user authorization. The first key is used by MSFT to sign their own security services modules. The identity of the second key holder until now been unknown. That is to say until MSFT forgot to strip the binary of NT4 SP5 off debugging symbols. Perhaps not surprisingly, the debugging symbol for the second key is... _NSAKEY, For more information and a program to remove the NSA's key from your copy of Windows 95, 98, NT, 2000, see http://www.cryptonym.com/hottopics/msft-nsa.html Note that Windows 2000 includes not just two keys, but three keys that can sign modules that will control security services on your copy of Windows. Word has it that the third key belongs to the FBI. So far, there has been no independent confirmation of this rumor. --Lucky Green <shamrock@cypherpunks.to>