Microsoft NSA key Follow-Up 163
Signal 11 writes "Bruce
Schneier at Counterpane has some interesting comments about the so-called NSA key embedded into all current versions of windows.
" If you missed the fireworks, read the first story or Microsoft response.
THINK! (Score:3)
yes, it seems that the NAME of a key is a bit weak evidence to use.
However, I think people began to have more fun with the "government has evil plans" conspiracy theories and they lost track of the real topic. So far, there seems to be no *real* evidence of anything, either way, at all.
the real lesson should _not_ be "be afraid of MS and the NSA", it should be "THINK about what you are reading and get more information".
If you don't, you will be one of the unsuspecting masses who will get blinded by propaganda.
---
Re:Most likely explanation is... (Score:1)
So this isn't a good explanation for the existance of the second key.
I think the true explanation is even simpler: someone who didn't know crypto added it and specified its features, and either nobody who knew crypto paid attention, or their warnings simply weren't heeded until too late.
I've seen this happen MANY times, and it's astounding how smart, well-worded, and properly delivered arguments can be completely ignored until it's too late.
I'm sure the third key got in W2K in a very similar way.
-Billy
Absolutely, and here is what it would look like! (Score:2)
A buffer overflow that they know about, is not publicized and is not getting fixed.
In fact this is absolutely indistinguishable from an honest mistake of a sort that is so common that nobody would think twice. But still it allows any access that they want.
Now all of that said, there is more. Remember a long time ago that Bruce Perens came out with warning that a proprietary company could submit a patch with a backdoor which they could then exploit later against OSS? Remember how he got flamed over it? People were saying, "What are they going to do? If they put in an if condition, anyone can see it and remove it. They would never do that!"
Um, not quite. They could do it by putting a buffer overflow in a known place. It looks just like an honest mistake, there are lots more just like it scattered through plenty of OSS projects. If caught it is a minor oops, not even a hint of suspicion.
The moral is that as long as buffer overflows are accepted and common, backdoors for those we don't want to have them will be easy to come by.
Cheers,
Ben
Re:Did he SAY they use Unix..? (Score:1)
Two words: Lock Picks.
well, not really, but you get the idea, if "they" can get to the computer under that kind of security, then "they" must also want it enough to break through the crypto. Very possible, but incredibly difficult with current crypto schemes and large keysizes.
It really is just another hoop for any intruders to jump through (and oftentimes much more time consuming than any of the others if they can't find your key or predict it from the random number generator algorithm). That's all. If those measures are being taken already, not too difficult to add one more...
Jeff
ehm (Score:1)
You might as well just put a couple of filing cabinets in that metal room (well, almost).
--
Re:Speculation. Astute speculation but still... (Score:1)
The NSA knows 16 bits of the Netscape export key too - and the same probably goes for a number of other export software packages. No reason to finger Lotus Notes specifically.
Re:No. (Score:1)
It's pie ALL over MS' face, and Linux has the same strength -- only Linux has it intentionally, not accidentally.
As to the part about viruses being able to replace your crypt with weak crypto -- okay, it's a danger, but only if you haven't replaced the key yourself already.
This is a GREAT opportunity for everyone to upgrade their security.
-Billy
Re:The real importance of the NSAKEY debacle (Score:1)
Be afraid. Very afraid.
The *real* way the API works. (Score:1)
Perhaps only the second is trivially replaceable, (ie, simply hexedit the string to a bunch of zeros)...
> 4. The key "locations" were never "known" prior to sp5.
This is not known. I'm sure people poked through MS's DLLs before. And the key did have the characteristic form of a key, as in, that string of bytes did look like a key. What we didn't know until recently was the symbol names that went with the data. (But the actual location and value of the data is *trivial* to rip out of an executable.)
> 5. In exported versions its 40 bit. Not a terribly difficult crack.
The strongest encryption you are allowed to install is 40b. But there are fewer restrictions on the use of encryption in such a way that arbitrary data can't be sent. One example of this is digital signing, such as it's used in the CryptoAPI. Especially when the intended use of the digital signing is to keep people from installing strong crypto in violation of those very export laws. 6. Yes you can replace it with a program, but with the first key to authenticate me as i spoof widgets.com, I can replace it without your knowledge or approval.
No, there's nothing in here that lets you install anything on someone's computer without their approval. They still need to initiate the install (by running the installer, or a trojan of some sort). What the key does is allow the CryptoAPI to check if the crypto package you install is signed by MS, or the NSA, the only two entities (in this case) who are supposed to sign valid crypto components for Windows.
You *could*, with a trojan, replace that key, or simply crack the cryptoAPI to not check, and then allow the installation of unsigned crypto modules. But, this would be silly and redundant to use in an attack.
If you could gain access to someone's computer (via trojan, physical access, etc) then you could simply install a keyboard monitor, or some such, and read all of their data directly, bypassing any crypto. You wouldn't need to hack the crypto module, install broken/weak crypto, then crack it later. And if you did this, the people they tried to communicate wouldn't understand it, because the crypto algorithms wouldn't match.
No, the only '3v1l h4x0r' trick to do here is simply crack *YOUR* CryptoAPI (and let your friends do the same) so that you can easily encrypt data with a strong algorithm and large key. To do this you'd need to either convince MS or the NSA to sign your strong crypto, or remove the check in the CryptoAPI, much the same as crackers everywhere remove shareware expiration checks, etc.
Tech for this exists. (Score:1)
LINUX stands for: Linux Inux Nux Ux X
You made the laws, now enforce them! (Score:4)
Or are we proving once more that if you have enough money, you're above the law?
just a thought... (Score:1)
"Normally, Windows components are stripped of identifying information. If the computer is calculating "number_of_hours = 24 * number_of_days", the only thing a human can understand is that the computer is multiplying "a = 24 * b". Without the symbols "number_of_hours" and "number_of_days", we may have no idea what 'a' and 'b' stand for, or even that they calculate units of time."
...
"Then came WindowsNT4's Service Pack 5. In this service release of software from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components."
this doesn't mean that i acutally believe something like this could simply just "slip through to the public", but don't be so naive people. this is the government of the most powerful nation in the world. to think they don't have some form of control over a product which is a) originated in this country b)used in almost every country in the world and c) has the capability to "interfere with national security" is ludicrous. also, it appears to me that in most of the responses to the article people didn't really read the part i quoted above. if the allegations of microsoft "forgetting" to change their variable identifiers to ambiguous ones is actually true, then i believe this finding deserves some credit. however, i don't want to be naive as well and believe everything that i hear. examine all the facts, and think before you speak.
Re:The following 4 questions are still not answere (Score:2)
Re:The following 4 questions are still not answere (Score:2)
#2 is incorrect -- all symbols were stripped, both _KEY and _NSAKEY. Symbol stripping is standard on executable releases; it reduces bulk and helps keep dirty names out of releases.
#3 is amusing -- you use the phrase "so many smarter things to do" and "Microsoft" in the same sentence. Face it, Microsoft has always been stupid. And getting bigger doesn't help -- the IQ of a group is equal to the minimum of the IQs of its members, divided by the size of the group (as a Debian user, I'm unhappy about that rule
#4 is just SO wrong it's not funny. Most every OS vendor, and many other software and hardware vendors, have deals to ship this stuff.
-Billy
Re:It's (not) the NSA, stupid (Score:1)
Enough with the fuss (Score:1)
Personally, I'm quite the fan of the programmer's-joke theory: I've got one thing named KEY, I'm bored, I don't want to name it KEY2 or something equally boring, so why not slap "NSA" in front? Hmm, maybe I should slip "NSA" into the code I'm (supposed to be) working on right now...
Re:It's (not) the NSA, stupid (Score:1)
One way or another, I'd like to see who all's changed status on their payroll over the last week or so...
But why are there two keys ? (Score:1)
The biggest unansvered question still remains: "Why are there two keys ?". So far Microsoft hasn't uttered a word of explanation that holds water.
They have admitted that the key is "to ensure compliance with the NSA's technical review". Either NSA wanted a second key or the MS software engineers didn't understand the review.
Microsoft has so far not offered any explanation of the second keys purpose that the first key doesn't already fulfill. Therefore, either they aren't telling the real truth or they fucked up the implementation.
Microsofts NULL statement can be found here: http://www.microsoft.com/s ecurity/bulletins/backdoor.asp [microsoft.com].
--
Why pay for drugs when you can get Linux for free ?
It's (not) the NSA, stupid (Score:3)
I have to agree with Bruce's (and quite a few /. readers') take on this. If the NSA really did put a back door into Windows, they'd make damn sure no one could find it. Ever. That's why they're called "spooks".
Besides, with Echelon, they don't even need the back door......
Microsoft has admitted it: (Score:1)
NSA stands was ment to stand for "National Security Agency".
See:
[microsoft.com]
http://www.microsoft.com/security/bulletins/bac
"The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to be known within Microsoft as "the NSA keys" "
But what the real purpose of the second key is, we will propaply never know.
--
Why pay for drugs when you can get Linux for free ?
Re:OK, my hunch: Good hunch (Score:2)
Here is my theory, which goes along with yours:
There is a small team of M$ programmers who take pride in the code they are crafting, and have worked hard to create a working Crypto API. At some point, the NSA sends around their "pressure tactics" team to influence how crypto modules get signed. These guys are good, without a doubt they have been trained in psychology and have rehearsed and play-acted the scenario many times and are now *VERY* effective at persuasion.
M$ management crumbles like a bunch of spineless wimps, giving in to every demand of the NSA, and then order the crypto team to implement a second key for the NSA, in effect nominating a second "root" CSP. You need to have a dual root system to do effective Revocation Lists, but it is not necessary.
So the programmers implement the second key, but chafe at being forced to do a weak crypto implementation. So they make sure the second root key can be replaced without breaking their crypto API, although replacing the M$ root key will cause a failure. They even give the variable the name _NSAKEY so others who maintain the code know what shit is going on.
Then someone in the software build group who pulls together all the source code from each project and does the compiles, forgets to strip symbols and the _NSAKEY symbol is left in the code.
Now the world knows it can rip out the second root key, and let windows fail the check with the first root and failover to the second. Now you can set up any strong crypto system yourself, but this is probably most useful for foreign banks and governments who can afford an expert to set up and test the system before rolling it out.
And the word gets out a little louder than before: U.S. crypto laws are there to make the NSAs job easier, not to protect american citizens or e-commerce or privacy or anything else.
But the best quote today from anonymous (finkPloyd) coward is:
Let's face it, if you are depending on Windows for security, you have more problems than the NSA
the AC
Bruce is da man! (Score:3)
I got to meet him a the Neal Steaphenson Cryptonomicon book signing here in Minneapolis a couple of months ago.
I got him to sign my copy of Applied Cryptography. The signature was
OJNE
EHTY
KOOB
Now, how cool is that? Definately seems like the kinda guy I'd like to take out for some beers some time.
Hell, I started spouting off about my plans to wire my vintage telegraph key into my COM port so I could have a 'backup' for my e-mail program. He liked my idea and said to shoot him an e-mail when I get it working, he'd pay me to work up one for him too.
Just some after lunch ramblings.
Interesting Point. (Score:1)
Re:But why are there two keys ? (Score:1)
Supposedly, if the primary key were lost or destroyed (say in an earthquake or fire), they could still sign components using the backup key.
As I mentioned before, I don't buy this explanation totally as there is no reason they didn't have the primary key distributed using an n-threshold key sharing algorithm. The same holds true for the backup key.
Had they taken this approach, they would have parts of the key in each office. They would need only N parts to reconsitute the key. And, since the parts would be given to supposely responsible individuals, the only way the key could be reconsituted is through a deliberate act or collusion of those holding the parts. My guess there are ways to prevent even the later.
If their issue was key compromise, then what provisions are in the CryptoAPI to revoke the primary key and activate the backup key? How about being able to replace a superceded/revoked key so that the can not/will be used again? How are they handling certificate revocation lists (CRLs)? Can anyone answer that question? I'd love to know.
Maybe I sound like a conspiracy nut, but something just isn't right here. Either this is an act of ignornace on Microsoft's part or this is just a lame attempt to put another chink in our freedom's armor. But, I guess we'll never know for sure.
Re:Conspiracy or not (Score:2)
As for your first point, I agree. But if you had a secure way to switch between two keys, it would be a smart thing because you could keep signing things even in the event of a compromise and you would not have to get a new copy of the software with a new public key to everybody in order to do so. However, since MS's scheme trusts both keys, I agree with you that two copies of one key would be functionally equivalent.
I think what stinks is that MS is a closed source company. You can't know for certain what they are doing or why. You are only as secure as MS knows you. You, you have no idea. Yeah, I like that.
If I were moderating.. (Score:1)
Conspiracy or not (Score:3)
Screwing the customer, by creating a secuirty mechanism that can be easily bypassed (if a replaces NSAKEY with a new one, then all your crypto modules can be replaced with insecure versions)...
On the flip side, they're blatantly disregarding the gov't's export requirements by allowing this key to be replaced abroad. So much for disallowing the export of strong crypto... They can just ship a weakened product and let people oversea's implement the changes.
No matter how you feel about encryption, privacy, etc... THIS IS A BAD THING. Bad for the consumer, bad for the government, and just bad policy. As we touched on in one of the previous discussions, why in the world did they need to create this "backup" key in the digital age?
I'd hope to expect that Win2000 ships with just a single key to compare signed code with, or at least bothers to check the signature of the back up key as well... Though I like the idea of myself being able to implement whatever cryptography I'd like, I don't trust anyone enough to go and implement new & imporved modules without my explicit approval
Weeeelllll... (Score:1)
I don't think this point is all that strong. Given that MS has made it possible for ANYONE to replace the crypto routines, arguments from "they aren't that stupid" don't hold any water.
---
Put Hemos through English 101!
"An armed society is a polite society" -- Robert Heinlein
responsible to the stockholders (Score:1)
CryptoAPI still not trustworthy. (Score:5)
The strength of encryption is based not on how big the keys are (sorry, but 32kbit keys are just plain unneccesary), but on how hard it is to get the plaintext, based on the crypttext and other known information. If the secrecy of your credit card numbers depends on other people not knowing the algorithm, or the implementation, of your encryption, then your encryption is pretty darn weak. Once the algorithm leaks out (due to espionage or hacking), your secrets are out.
The best encryption for one to use has five components working for it:
In the case of the CryptoAPI, we don't have an open-source implementation, nor do we know the details of the development of the CryptoAPI. Microsoft has all this information and isn't about to release it to anyone. Because of this, we don't know if the analysis of the CryptoAPI is sufficient. Therefore, we should consider Microsoft's CryptoAPI package untrustworthy.
Re:It's (not) the NSA, stupid (Score:2)
Likely the same thing happened at MS but of course we're all primed to believe the worst of them. Sorta makes you glad your mother lectured you on the importance of maintaining a good reputation, doesn't it?
Re:Still confused (Score:1)
Your explanation makes sense though. Theirs does not.
-cpd
Yet Another Debunking at The Register... (Score:1)
OTOH, the Register article seems to imply that the NSA screwed up in allowing the export of Windows with such a hook, which counters the "NSA is too competent to be this dumb" approach to debunking the idea that this is an NSA backdoor.
But, whether a mistaken approval or an incompentent backdoor, it doesn't seem to be much of a real threat. All in all, it's only proof of nefarious intentions if you assume nefarious intentions to begin with.
But if I talk like this much more, the other Libertarians won't let me come to local party meetings anymore...
The FUD works backwards. (Score:1)
Roswell Revisited (Score:5)
Previous reports to the contrary are false. Indeed, they never happened. In fact, I don't remember any previous reports to the contrary. In truth, I don't even know why I'm telling you any of this, because we have received no credible reports of an NSA Backdoor in any windows platform.
Next week we will start investigating reports that farmers are finding strong encryption algorithms burned into their crop fields. Until we discover more about this pheonomena, we are banning all crop exports immediately and reclassifying corn, wheat, and other grains as munitiions.
Thank you for your support in this matter.
Signed,
The Federal Government
Re:Conspiracy or not (Score:2)
The problem with the MS implementation is that EITHER key is trusted! There should be a mechanism to switch keys in a secure manner such that one key becomes untrusted. As it is now, if one key is compromised, it will still be trusted!
No. (Score:1)
Microsoft has, apparently done some things wrong here, though. As I understand it, the reason the primary key can't be changed is that the default CSP is signed with the primary key, and changing this key would render the system unusable. Had a necessary component been signed with both the backup key and the primary key, and both signatures tested for that component, it would become more difficult to change the keys and retain a useful system.
The other thing that Microsoft has messed up here is the issue of key compromise. Microsoft has focussed entirely on prevention on this issue, excluding contingencies where the keys are compromised. They speak of hardware, software and physical security to prevent key compromise, but there does not appear to be a mechanism for key revocation if and when these security mechanisms fail, and the key _is_ compromised.
Re:Weeeelllll... (Score:2)
For all the bad press MS is getting, is it possible that they made the second key weak for a reason? Think about it - by making this second key relatively easy to change, that means that non US/Canadian servers running WinNT could implement high security - a feature many outside these countries want. Although MS can't officially sell their software with this encryption, they can "mess up" and allow others to do it for them, thereby sticking it to the government.
How's that for a conspiracy theory?
Re:NSA...ther're no dummies (Score:1)
Signal-to-Noise Ratio (Score:1)
mwood set up the credibility [slashdot.org] argument with his reminder about how Mom talked about reputations. The credential comments seem like a lazy mans way to address this.
flatrbbt emphasized [slashdot.org] this again but left me some questions to ponder. I hope responses to those questions grows further.
I could go on-and-on but the point I wanted to make was how markedly different this discussion is. The AC group seems to be on vacation and I want to encourage more factual discussion about this. I am going back into learn mode so keep the good stuff coming.
Actually, you don't have to provide the source! (Score:1)
So if you want to make a bogus CSP you lie about the contents. Of course your customers can hold you responsible for lying about what you're giving them, but you may or may not care.
Yes, really. (Score:1)
yes, *BUT* (Score:1)
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:Most likely explanation is... (Score:1)
Except it *does* allow the NSA to change your crypto. Whether they would want to or whether they have a better way in through another security hole is debatable. The real point is that it is unnecessary for you and I to have a NSA key in our copy of Windows.
Re:Are they really advanced? (Score:1)
BTW, your comment about "they don't develop their own technology" is a bit off.
Yes, they use Crays -- but they also have super computers that they develop in house (in whole or in part). One notable one they call "The Thinking Machine" was specifically designed and developed for crypto operations.
Re:not a coward, just forgot password (Score:1)
Yes, customers can replace the key aboad in order to implement whatever crypto they want. But a virus could subistitute the second key with one of it's own and then change the default crypto from _____ bit (128 bit?) to 1 bit if it felt like it. Your data would still appear to you as being scrambled, windows would accept this new encryption scheme and everyone involved would think it's all hunky dorey.
Yes bruce is an expert on the topic... We're no longer talking about NSA conspiracies here, and just thinking of Windows security issues. That key will not permit them to run word processing programs without your knowledge. It just is a public key for windows to check the validity of crypto modules. He himself said that in all likelyhood the NSAKEY isn't there for the NSA. So then, why do you want to remove that key, anyways?
Additional copies of the key (Score:1)
Re:It's (not) the NSA, stupid (Score:1)
_________________________
Words of Wisdom:
I did NOT sleep with that woman. (Score:4)
Even after their answers, The questions remain.
Why are there 2 keys?
Why are the keys replacable?
Who has had access to them? aside from a hoarde of programmers doing daily builds.
Doesnt the daily build mean the two keys are stored in the same building?
Is only 1/2 oh this building "natural disaster proof"?
What happens now that the key locations are known?
How long before they are cracked?
Once they are cracked, cant I use ms_key to replace nsa_key?
Have your keys been replaced?
Will they be replaced again.
Can they be replaced via activeX/java?
All in all, I find the story without credibility.
The tone in his second writing does not support the tone of his first.
What changed his mind? Why is this such an insignificant security hole in comparison to the major hole at the time of the first writing?
Who convinced him otherwise?
I am sorry, but having listened carefully to this and other arguments presented by MS and its minions, I will need some convincing.
Until then, I will continue to recommend that all MS products be removed from "secure" corporate machines.
Steve Ruyle
The keys are NOT for integrity protection... (Score:3)
If you send Microsoft a CSP which encrypts data by XOR'ing with a stream of zeroes they'll sign it as long as you have the appropriate license. They don't care, nor should they.
Think about it. If Microsoft were actually certifying that any signed CSP provided a good strong crypto implementation, then any customer who discovered a flaw in a signed CSP could sue. And would. Microsoft wouldn't even consider putting themselves in that position.
Therefore if I work for the NSA and I want to install a crippled CSP on your system, I ask Microsoft to sign it. And they will, no security questions asked. The only thing having my own key would buy me is not having to wait for them to get through the process.
Ironic if true. (Score:1)
The one documented effect of the second NSAKEY is to defeat strong encryption control on Windows.
No matter which side of strong encryption debate you're on, Microsoft has probably lost reputation over this. Don't be surprised if an order for RedHat CDs arrives from Maryland...
Re:If I were moderating.. (Score:2)
If I recall correctly, there are several warnings in AC (at least the first edition) warning against using the work of amateurs.
That said, Blowfish and Twofish do seem to have passed muster with world-class cryptographers, which is a tremendous achievement; and I have tremendous respect for Schneier.
thad
It's a PR issue (Score:2)
I was wondering about that, too. Why would they give an explanation that clearly makes no sense? I think it's a PR concern. Talking about natural disasters is OK -- publically raising the issue of a compromised key is not.
The real importance of the NSAKEY debacle (Score:4)
The true importance of this news item never had anything to do with practical matters of security. If you're concerned with and knowledgeable about computer security, you're probably not using Windows -- especially if you're trying to keep the NSA out.
The real issue is the effect this story will have on Microsoft's international image. They are already considered to be very Americocentric (as are many other American companies, to be fair). Remember Microsoft's refusal to produce an Icelandic version of Windows [seattletimes.com]? They ticked off lots of non-Americans with that move, not all of them in Iceland.
The idea that Microsoft would truckle to the whims of an American intelligence agency only worsens the problem. It didn't turn out to be true, but people aren't going to remember that. They'll remember the accusation far longer than they'll recall the exoneration.
It sucks, but the truth just isn't an important factor in shaping public opinion. Microsoft lost big on this one.
--
+1 Offtopic, Humor (Score:1)
Finkployd
Re:Did he SAY they use Unix..? (Score:1)
The security is more likely to be enforced through no network connection, being in a metal room so that no electormagnetic signals can escape, and simply never allowing any recording media of any sort to leave the room once it has entered. Beepers, cell phones, and other electronic devices will also never enter and especially never leave that room. Really secrete places probably have filters on the power or their own power supply so nohting can escape over that channel either. No modem will be left in a computer connected to a live line (there is probably not a live telephone line in the room) so no trojan process can dial out in the middle of the night and up load stuff.
The secrete data can then be manipulated with whatever software you want. Given such a situation, how would you steal data ? You might slip them a messed up copy of something so they'd loose their data or otherwise sabatoge the effort, but there is no channel for you to receive information on the outside.
conspiracys... reasons why not (Score:1)
OK, people have been saying 'It *must* be the NSA' for this Microsoft 'key'.
Now, there are a lot of conspiracy theorists out there that would say this is the NSA. There are even more that believe in the coverup of Roswell et al. Some even believe the X-Files is real...
Here's a thought - IF the Government is so powerfull and has been so good at keeping secrets, how come they are pretty inefficient in comparasin. Surely if the Government was able to keep all of these things secret and so effeciently then why do we still have crime on the streets ? Why are there still the unemployed... makes you think...
As I think a couple of other people have said, is it not plausable that a MS programmer thought of a name for a key and then thought of the NSA... bet he's laughing if he did... otherwise we better start to worry
Amateur status (Score:1)
...phil
The best hiding place is in plane sight... (Score:1)
Of course, if everyone didn't take it seriously because they believed that it was "too obvious" and that it "couldn't be true," then it could be even more powerful than if it were kept secret.
Just a conspiracy nut theory... Personally after reading through all the commentary and articles it just seems to be a bit of sensationalism. The buffer overflow security flaws in IIS is a much larger security risk than this issue....
The other Microsoft response (Score:1)
I read the last few paragraphs as "The NSA required it, we put it in, don't worry -- it won't hurt you".
see:
http://www.microsoft.c om/presspass/press/1999/sept99/rsapr.htm [microsoft.com]
---------------------------------------------
Microsoft Says Speculation About Security and NSA Is "Inaccurate
and Unfounded"
REDMOND, Wash. - Sept. 3, 1999 - Microsoft Corp. said today that
speculation about Microsoft® Windows® security and the U.S. National
Security Agency (NSA) is "inaccurate and unfounded."
In response to speculation by a Canadian cryptography company that
Microsoft had somehow allowed the NSA to hold a "backdoor" key to the
encryption framework in its Windows operating system, Microsoft issued
the following statement:
"This report is inaccurate and unfounded. The key in question is a
Microsoft key. It is maintained and safeguarded by Microsoft, and we
have not shared this key with the NSA or any other party.
"Microsoft takes security very seriously. This speculation is ironic since
Microsoft has consistently opposed the various key escrow proposals
suggested by the government because we don't believe they are good
for consumers, the industry or national security.
"Contrary to this report, the key in question would not allow security
services to be started or stopped without the user's knowledge."
Microsoft said the key is labeled "NSA key" because NSA is the technical
review authority for U.S. export controls, and the key ensures
compliance with U.S. export laws. The company reiterated that
Microsoft has not shared this key with the NSA or any other company or
agency.
Founded in 1975, Microsoft (Nasdaq "MSFT") is the worldwide leader in
software for personal computers. The company offers a wide range of
products and services for business and personal use, each designed with
the mission of making it easier and more enjoyable for people to take
advantage of the full power of personal computing every day.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corp. in the United States and/or other countries.
Other product and company names herein may be trademarks of their
respective owners.
Note to editors: If you are interested in viewing additional information
on Microsoft, please visit the Microsoft Web page at
http://www.microsoft.com/presspass/ on Microsoft's corporate
information pages.
-----------------------------------
Re:Did he SAY they use Unix..? (Score:1)
-Shane Stephens
Re:Still confused (Score:1)
There is a mechanism for key revocation... they can just upgrade the OS. Over time the old key would be increasingly difficult to use despite having been compromised.
Since the keys are cryptographically secure, the most likely scenario is not that the key would be compromised by a hard-crack, but by someone within Microsoft who works with the private key (signing packages) and who decides to give it to someone who asks nicely.
Microsoft would (I imagine) immediately post a service patch which (among other things) removes the old key, and replaces all of the old crypto modules with new ones. The new modules would then work everywhere (even on unpatched machines), but the old modules would only work on old machines, which would gradually become obsolete. Since there isn't any way to force people to accept a certificate revocation, this seems as reasonable a way as any to manage such a problem (at least to me.)
Re:Conspiracy or not (Score:1)
Sorry, but this is just poor logic:
(1) Primary key destroyed by natural disaster-
Why would you store a backup secondary key when you can store a backup COPY of the primary key? Having two keys is more of a security risk - there's TWO access points to hack, instead of just one!
(2) Secondary key used to replace primary key in case of security hack-
How exactly did you want microsoft to switch keys? A THIRD key???? Also, if keys were switched, then no programs implementing the old system would work on new versions of the OS, and no programs implementing the new system would work on old versions of the OS. Finally, assuming there was a security hack, anybody could just obtain an older copy of the OS (and there's plenty around...) to perform their nefarious deeds on.
I'm sorry - it may not be (probably isn't) actually anything to do with the NSA, but SOMETHING stinks to high heaven here.
-Shane Stephens
Re:Still confused (Score:1)
There's still one major flaw in that argument.
Third party crypto modules (signed ones) would immediately stop working. Oops!
-Shane Stephens
Re:You made the laws, now enforce them! (Score:1)
The guy you just rabidly attacked was clearly pointing out the injustness of the law - ever heard of sarcasm? Incedentally, he was also pointing out another interesting fact - that money does buy you out of illegal situations in a "democracy".
In a sense, microsoft HAS broken the law. Sure, they probably did it through complete and utter incompetent stupidity (and who would expect anything less), but remember that ignorance of a law is NOT an excuse for breaking it!
The point is, there is now a widely available operating system which can potentially have extremely strong (128 bit, 256 bit, you name it!) encryption installed on it, and that this OS originated in America.
I'd say that was clearly in contravention of the anti-export of encryption laws. After all, if it wasn't, then why the hell did Microsoft go to all the trouble of providing a signing mechanism in the first place????
Get over your "Oh! Somebody's bashing Microsoft!" reflex action and actually READ the posts, numbnut!!!
-Shane Stephens (yes, I'm not afraid to use MY real name...)
Re:NSA = Initials??? (Score:1)
Re:hmmmm (Score:1)
Mark
Schneier should not attack Microsoft in this way (Score:1)
Those who have observed that Schneier's press release adds little to the discussion are correct - nearly. True, he says nothing that has not already been said several times elsewhere, including a regurgitation of the Microsoft party line and some humorous commentary on the inappropriate name this key received in the debugger.
But he does add something. He adds a snide and technically unjustifiable comment about Microsoft cryptography, implying that it is deficient:
Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft.
This is not the "sort of thing" I'd expect out of Schneier. He behaves as though he has never heard of a Certificate Revocation List. CRL's are fully implemented in Internet Exploder (although for sound connectivity reasons online checking is turned off by default. see Tools|Internet Options|Advanced) CRLs are not only an adequate means of revoking compromised public keys, they are an internet standard.
Schneier's article appears to contribute nothing to this discussion other than an unjustified punch below the belt. I admire the author of Applied Cryptography too much to let this attack pass without voicing my disapproval. Schneier has already made his name. He has nothing to gain from pinching the schoolyard bully and then running away.
-konstant
it wasn't *HIM* who said it (Score:1)
in any event, I agreed with this guy, and was *amazed* at all the people who didn't even really take into consideration what was happening. I mean, they just jumped right on the band wagon. I'd be willing to bet that a lot of the posters didn't even bother to read the story...
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
What if the key were *meant* to be replaced? (Score:1)
a) Several people have commented that it is possible for the key to be replaced and load other "signed" crypto modules.
b)MS cut a deal to enforce signing crypto modules, to enable them to export windows. If NSA wanted to load modules without MS, they'd need a key.
c) People were initially scared that this key would allow NSA to install modules on their machine.
d) The keys are actually used to verify crypo before loading, if it passes the signature, it'a trusted and will be used.
Would the NSA not be equally scared of someone signing a crypto module and getting it loaded and trusted on their machine? Now think, windows is exported worldwide, and if this article is correct, then so is the NSA public key. How likely is that? (Hint: which is easier to detect, a online hacker trying to logon directly, or a remote hacker cracking your
So, what if this key was just inserted as a "placeholder" and within NSA, there is a "hardening" program which replaces the placeholder with their own. This could explain
a) That MS would indeed have access to the second key (ie the "backup")
b) That NSA do load crypto signed by themselves
c) Why it was called an obvious name, as it was meant to be replaced later.
Fun to think about, eh?
--
Re:Are they really advanced? (Score:2)
Only a guess, though. The NSA knows, but they aren't telling.
Could be in a smart card (Score:1)
This is all speculation, but it seems to me that the smart way for a company to do something like this is to use a smart card. That way nobody knows the private key -- it's stored in the tamper-proof card. You don't have to worry about an employee (or NSA spook) stealing a look at the key someday. It can't be copied.
If done with a smart card, you have to physically possess the smart card to sign anything (it has an onboard processor you feed data blocks to). My guess is that Microsoft keeps the main smart card locked up on their campus and the backup smart card locked away in a bank vault somewhere.
OK, my hunch: (Score:2)
This is a trial balloon for a new geopolitics: it says in BIG RED LETTERS, "hands off Microsoft, USA". It's not a message for America- it is a message for the rest of the world. "Look! Unless something is done, the worldwide monopoly on computers and communications will be a tool of the USA! Wouldn't you rather it was just a worldwide monopoly beholden to nobody, with no loyalties at all?"
I must say I've been expecting this: I've been certain for some time that MS had no loyalty to the USA at all, and that they would find a way to cut the apron strings. It's typically ruthless MS marketing that the way turns out to be casting fear, uncertainty and doubt at the NSA by a childishly transparent ploy. Nothing that I've ever heard about the NSA suggests that they would tell MS to build in a key for them, allow it to be named 'NSAKEY', not _check_ to see if MS did it right etc etc etc. That's ludicrous- competent or incompetent they are too _paranoid_ to allow themselves to be betrayed that stupid way, therefore it's not them (and they probably have YA-key that nobody knows about, knowing them).
Since it's not the NSA which laid that carefully planted clue, and since it came from somewhere inside Microsoft, the question becomes "Why would Microsoft produce such a clue to cause fear of the NSA?" and I think what with the antitrust case and the blocks against exporting encryption, it should be quite obvious why Microsoft now sees fit to backstab the U.S. Government itself.
Re:Not MS's idea, it was the NSA's idea (Score:1)
There does not seem to be any irrefutable evidence that NSA's intention was to weaken crypto or backdoor Windows in this case, I agree.
Re:Are they really advanced? (Score:1)
2nd) I was under the impression that they simply "overtook" the thinking machine from a seperate corp. claiming it was illegal...not sure where I read that, but oh well, wouldn't be the first time something I've read was inaccurate.
CryptoAPI does not encrypt (Score:2)
It is possible for a "middleware" product like the CryptoAPI to be insecure, but not likely. I still wouldn't trust Microsoft's own encryption modules though (the ones actually CALLED by CryptoAPI). For one thing, a good PRNG to get randomly-distributed keys is VERY hard to write. I just finished writing one because every distributed PRNG that I came across produced predictable keys (meaning that you don't have to brute force all possible keys to break the encryption, just the keys produced by the pseudo-random number generator, which proved not to be so random!). I seriously doubt that Microsoft got the PRNG right, and Bruce Schneier's own "Yarrow" PRNG is perfect proof of that (Bruce has a paper on his site, www.counterpane.com [counterpane.com], detailing attacks on a PRNG that will let you crack encryption in MUCH less time than a pure brute-force attack).
-E
Mcrosoft's Key (Score:1)
Don't forget Without MS's Key, windows can't varify *itself* and the OS won't work at all (at least that's what they've been saying). I'm sure the NSA *could* do somthing to rev-eng windows, and rewrite all that stuff, but it would be a lot less work for them to just work with MS to begin with
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
no, not really. (Score:1)
also, since it would require you to run executing code, even if the 'NSAKEY' weren't there, they could conceivably add it to the system
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
*****CAN'T INSTALLL****** (Score:1)
They keys are only used to verify Stuff already on the system
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:hmmmm (Score:1)
So, please give references to what you are saying.
Still confused (Score:3)
-cpd
maybe (Score:1)
now if it has other maybe , i think that hte keys are there for what ms wants and not what they say
peronaly i dont like the idea of letting ms have any key control in an os. the "back up key" idea was altough thought full it can be used as an exploid , and i dont trust ms enuf to tell me the truth. sorry it is just me being paranoid
Beleiving everything you read. (Score:5)
But the number of people that read it and instantly assumed it was true was astounding. I've had friends ask me out of the blue about it. I've heard of it through mainstream media. I've seen story after story about it.
Most of the the media people still won't admit it was jumping to conclusions. That's what really bothers me. They're mostly sticking to the "well Microsoft says it's false but who can know for sure" lines to cover their own asses (and credibility).
A Wired story [wired.com] says "Questions lingered Friday over whether or not security experts overreacted to a scientist's charge that Microsoft built a backdoor in Windows for a US spy agency to enter". Isn't it fairly clear that they overreacted? Or is this going to happen again the next time?
(If it's a real issue, like the Hotmail thing, then they deserve to get slammed... but come on, let's verify this stuff before we go nuts).
Re:If I were moderating.. (Score:1)
NSA...ther're no dummies (Score:1)
Hmmmm....with Echelon, the NSA would really have no need for a backdoor to Windblows; but then gain; how hard is it to crack Windblows?
The NSA has some of the best crypto/math folks; so you really need to ask yourself if they would leave something so obvious. They are a little more adept than that.
The author's credentials (Score:4)
- Wrote "Applied Cryptography", the best introductory book to the field of cryptography and cryptanalysis;
- Wrote the Blowfish algorithm;
- Wrote with others the Twofish algorithm, one of the finalists of NIST's new Advanced Encryption Standard
There is a lot more. Look around the site...
The following 4 questions are still not answered: (Score:3)
2) 'It's called "NSAKEY" for some dumb reason' - yeah, and the symbol name got stipped off from _all previous shipped Windows releases_ (a couple dozen ones, not including localized versions), while $KEY was not stipped? You got to be kidding. $NSAKEY within a crypto module means only one thing.
3) 'There are just too many smarter things they can do to the unsuspecting masses.' - face it, the Microsoft monopoly is valuable to the signal interception community in this regard: it's everywhere. You will not find a single piece of software more widely installed.
4) What was the deal Microsoft cut with the NSA which (uniquely amongst OS vendors) enables them to ship a Crypto API. Crypto-enabling APIs are explicitly forbidden by US export controls, even if they do not ship strong crypto. What was the 'deal' with the NSA?
Re:Still confused (Score:2)
It's not just for natural disaster. If they need to revoke the original key for any reason (like say it got cracked), then the backup key could be used to verify the replacement key for the original.
Cheers,
ZicoKnows@hotmail.com
Re:NSA...ther're no dummies (Score:1)
You assume from naivite that I don't understand the NSA or Echelon. One comment doesn't mean I'm stupid.
Nonetheless, you're naive if you think that the Feds stop gathering data (in any fashion they want because there's a law.) They just can't use that stuff in court; but they do use it to focus the investigation.
I'll bet all those guys just shiver in their boots at the thought of using their collection methods in the US......Yeah right/.
Re:hmmmm (Score:1)
Mark
Re:The following 4 questions are still not answere (Score:1)
Only one thing? Those of us who don't jump immediately into paranoia mode can picture M$ engineers, having to name the thing, laughing their asses off when they realize what will happen when conspiracy junkies see the name and using it as a gag.
There are other, even goofier possibilities, not to mention the quite reasonable ones brought up on NTBugTraq.
Re:It's (not) the NSA (Stupid!) (Score:1)
Believe me, his criticism is justified (Score:3)
The purpose of the CryptoAPI was to enforce U.S. export controls. The failover to the second key, which can be poked with your own public key (as described in his earlier Crypto-Gram article), means that this mechanism is broke broke BROKE. Like so much else in MS's crypto suite. Sigh.
Read his Yarrow paper and you'll get the context for his comment that it's easier to attack MS's PRNG (pseudo-random number generator) than it is to attack their encryption directly.
-E
Dumb Mistakes (eg. the atom bomb) (Score:3)
People are careless, dumb and vain: one of the reasons security through obscurity is a bad idea.
Microsoft haven't produced a credible account. (Score:2)
All they say is "in case the first key is destroyed". To which we all say "so why not take a backup"? And after that, it's all *sheer speculation* on our parts about what their actual reasons are, for example about whether they mean "compromise" rather than "destruction" (hint: volcanoes don't compromise keys) or whether there's some other need that backups wouldn't meet. It's speculation because Microsoft haven't told us. All I know is:
* Microsoft have not come up with a believable explanation of why there are two keys, either of which can validate a CSP
* And *neither has anyone else*, not Bruce Schneier, not Markus Kuhn, not any of the people on the mailing lists I'm on. No-one has suggested anything that would make this an even vaguely sensible way to do things, let alone a way past an NSA security review.
Frankly, if I hear a non-fishy explanation for this I'll be quite likely to believe it - it's true about Microsoft's historical stance in favour of strong crypto, even though the whole CryptoAPI signing thing rather goes against that in the first place. Until such an explanation surfaces, though, there's no reason at all to let Microsoft off the hook on this one.
--
This does not resemble a CRL system. (Score:2)
Schneier's analysis is quite accurate.
--
Here's a better explanation: (Score:5)
From: Markus Kuhn
Subject: Re: NSA key in MSFT Crypto API
The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended with strong cryptography. They are certainly not
intended as any useful form of integrity protection for your system.
The NSA got their own CSP verification key, because they want to be able
to change their own secret US government CSPs required for the handling
of classified documents, without having to go to Microsoft each time to
get a signature for an NSA CSP update. Fair enough. So Microsoft built
in a second verification key such that the NSA can produce and install
on DoD PCs their own CSPs without requiring any Microsoft involvement.
The real funny part is that Microsoft did not protect the NSA key
particularly well, such that everyone can easily replace the NSA key
particularly well, such that everyone can easily replace the NSA key
easily with his own key. This was reported by Nicko van Someren at the
Crypto'98 rump session. This means that everyone can now easily install
his own CSPs with arbitrarily strong cryptography. This means that the
NSA's demand to get quickly a second key added led in effect to the easy
international availability of strong encryption CSPs. My guess is that
this is Microsoft's sweet revenge against the NSA for creating all these
Export hassles (e.g., the requirement that CSPs be signed) in the first
place. It backfired nicely against the NSA.
All this has nothing to do with an NSA backdoor, because the CSP keys
are an export enforcement tool and not an integrity protection tool.
They do not protect all parts of the system that could be compromised by
someone who wants to install some eavesdropping malware. The CSP
verification keys only authenticate that no cryptography that violates
export laws has been installed. If you are worried about the NSA
installing malicious software on your PC, you should not rely on the CSP
verification keys (which were never designed for that purpose anyway),
but on virus scanners with tripwire functionality that report any
modifications to your DLLs. There is no digital signature functionality
required to implement these, simple secure hash algorithms will
perfectly do.
Please apply a bit of simple critical thinking here:
If the NSA wanted to have real backdoor functionality, they would much
more likely simply steal Microsofts own keys instead of embedding
additional keys with an obvious symbol name. Remember: The NSA is the
world's largest key thief. They have stolen crypto variables from
well-protected military and government agencies from all over the world
using the usual repertoire of techniques (bribery, extortion,
eavesdropping, hacking, infiltration, etc.). If they can do it with
eastern military agencies, they can most certainly also do it easily
with Microsoft, which is orders of magnitudes less well protected than
the usual NSA target. If there is a real NSA backdoor key in Windows,
that it would certainly be identical to Microsoft's own key.
Markus
Re:Still confused (Score:2)
Re:SPOILER! (code solution) (Score:2)
"Enjoy the book"
Took me about 20 mins to figure it out.
Very cool.
Re:Here's a better explanation: (Score:2)
Crypto'98 rump session.
Markus Kuhn was cited in a news-posting I read, and he mentioned the ncipher [ncipher.com], who apparantly used this trick before to get their strong encryption (hardware!) into the windows api. One of their founders is said Nicko van Someren.