Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces 'Windows 10 China Government Edition', Lets Country Use Its Own Encryption (windows.com)

Posted by msmash on from the for-china dept.

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.

15 of 108 comments (clear)

  1. Windows 10, as it should have been. by Anonymous Coward · · Score: 5, Insightful

    Controlled updates, managing all telemetry, and rolling your own encryption? Where can I buy this magical product?!?

    1. Re:Windows 10, as it should have been. by Opportunist · · Score: 3, Interesting

      Or we could just *snicker* pirate a Chinese version.

      Oh the ironing!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Can I have a copy. by Anonymous Coward · · Score: 5, Funny

    "remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates"

    Excellent! Where can I get a copy?

    1. Re:Can I have a copy. by Anonymous Coward · · Score: 4, Insightful

      Sure they do, but the market for your data is much better. Also, people bitch a lot but they keep buying Windows, so why would Microsoft care what their users think?

  3. Meanwhile by kkoo · · Score: 5, Insightful

    Everyone else continues to use Microsoft Windows 10 US Government Edition.

  4. Re:Business as usual by jellomizer · · Score: 4, Interesting

    But who is the totalitarian government? China or the United States?
    Being that the world is recovering for a wide spread ransom ware attack caused from an long time "unpatched flaw" used by the United States National Security Agency. It would make sense for a government such as China to try to protect its data with its own "security measures".

    I am not being naive in not bringing up that China will probably have an encryption algorithm with a back door so the government can weed out subversives. However chances our our counties being the United States, United Kingdom, Canada, Germany, France... Are not agencies of good and riotous, but have a complex set of national needs to protect order.

    While I am sure profit was Microsoft big factor, however there is also a general global self interests to make sure the world stays up to date in software. Being that Windows is so dominate world wide not caving in for this case, would mean China would use outdated hacked versions of Windows, with their spying happening anyways. At least with Microsoft having some control, the fact that the Chinese Windows 10 has Government Encryption will let subversives to know what not to use.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Re:Enable The Government To Use Its Own Encryption by James+McGuigan · · Score: 4, Interesting

    "enable the government to use its own encryption algorithms"

    This would either imply one of two things (or both):

    1. The Chinese Government wants to install encryption backdoors in its own systems, to prevent employees from keeping secrets from it.

    2. The Chinese Government is worried that the US government has installed encryption backdoors in the standard algorithms and wants to enable its employees to keep secrets from the US government

  6. Re: Enable The Government To Use Its Own Encryptio by AvitarX · · Score: 3, Interesting

    Could be both.

    Fear of US back doors, wants Chinese back doors.

    I suspect though that it will end up being less secure wither way. Less tested for attack however they implement it.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  7. Re: chinese government by Miamicanes · · Score: 4, Interesting

    > It's funny that people don't realize that

    > MS's holds the master encryption key,

    > which they'll happily share with whomever pays the most ... or any court that orders them to.

      That said, Microsoft has UNQUESTIONABLY taken steps to limit the scope of any one court's or government's ability to compromise that master key by using it to encrypt sub-keys used to encrypt sub-sub-keys used to encrypt the *actual* key they'd have to reveal.

    Example: a new installation of Windows generates a 256-bit salt (probably derived from the license key or GUID) & stores it locally, then communicates it to Microsoft (who also discerns the country). Microsoft computes the sha256 hash of that salt plus their own sub-sub-key, then repeats it a million times with the output of the previous hash in place of their sub-sub-key. They then communicate the final hash back to the newly-installed Windows, which securely stores a copy & uses IT as its master key going forward. If a future court demands the key, MS obtains the salt from the computer in question, re-derives the key, and shares THAT with the court. Salt unobtainable? Mathematically-impossible to re-derive the key in any sane amount of time. Key revealed? The court can now decrypt THAT computer, but no other. If push came to shove, Microsoft shares the sub-sub-key(s) for that jurisdiction plus the algorithm, and tells them to have fun.

    The important point: the master key ITSELF is stored in pieces distributed across multiple jurisdictions, INCLUDING Russia and China... the likelihood that they'd ever act in union is approximately zero. So the US might be able to compel Microsoft to disclose their "US" sub-key(s), and the pieces of the master key that US courts can order the disclosure of, but it would NEVER be able to obtain the complete global master key.

    It sounds like in this case, Microsoft has basically generated a new master key for the China-Government edition, delegated responsibility for its safeguarding to China, and washed its hands. It has no implications for non-Chinese users, unless you're using a pirated Chinese-Government copy (which, in all likelihood, will have so much malware added by whomever made the pirated copy available, the theoretical ability of China's government to decrypt it would be the LEAST of your real-world problems).

  8. Totalitarianism by XXongo · · Score: 4, Insightful

    I have to remind you that "totalitarianism" is not a synonym for "a government I don't like", nor even "a government that does despicable things."

    It is "a system of government that is centralized and dictatorial and requires complete subservience to the state."

    The US does not (yet) assert total control over its citizens, although some political factions might like to go in that direction.

    1. Re:Totalitarianism by nomadic · · Score: 3, Interesting

      Interestingly, China used to be a totalitarian state but I think they've moved over into the authoritarian state category.

  9. this should be a clear message to ALL of us by evolutionary · · Score: 4, Insightful

    Okay, if the Chinese Government required a special version of this Windows to run in their country, then something stinks about it. Like the data collection and invasive controls that windows 10 possessed from the get go. Doctors, Lawyers, Accountants or virtually anyone handling confidential information need to be paying attention. The very use of Windows 10 in their work violates client/patient confidentiality. (as it sends file header + other potential information possibly not revealed yet) to MS and from their to the US Government. IIn the movie "Bridge of Spies" I remember Hank's line to the CIA agent "We are not having this conversation" concerning a spy he was representing.

    People may brush this off in the USA but countries in other countries potentially doing international business, scientific research, or many other things may not their information going to a foreign power. We weren't exactly thrilled when NASA emails wound up being copied to China with a simple DNS availability message boost (we have since corrected, THAT was scary). Windows 10 is and has always been a trojan in it's very conception and we all need to say "No". Windows 7 or Linux, possibly Apple (but I'm not sure I trust them with their iron grip policies particularly on their Iphones) are perfectly user friend/usable solutions.

    Those In the Medical profession, I know many hospitals/doctors are stuck with Windows-only drivers/software packages but the medical industry is going to have to make some serious choices: either publicly tell the world their information will go the US Government/Microsoft (for possibly sale) or the medical community will have to demand drivers//software versions that are Linux or Mac compatible. Some are staying on Widows 7 for this reason, but MS had is trying to pressure everyone to go to Windows 10 either by withholding critical updates (they did patch XP for the NSA contributed ransomware so clearly some mandates there) or possibly through other means. (remember, they did start by force feeding which got a public stick) There could even be legal implications for lawyers and medical professions that could be violated here. Hopefully we'll start getting the message soon. It's becoming a not so brave new world.

    --
    "Imagination is more important than knowledge" - Einstein
  10. Re:Business as usual by cryptizard · · Score: 4, Insightful

    Also read about the first 6 rounds of AES which were "solved" by someone. If the first 6 rounds have been broken, the rest isn't far off.

    Terrible leap of logic here. There are lots of things that are easy for the first few iterations and then grow exponentially in difficulty. Take this anecdote about Ramsey numbers for instance:

    Erdos asks us to imagine an alien force, vastly more powerful than us, landing on Earth and demanding the value of R(5, 5) or they will destroy our planet. In that case, he claims, we should marshal all our computers and all our mathematicians and attempt to find the value. But suppose, instead, that they ask for R(6, 6). In that case, he believes, we should attempt to destroy the aliens.

    Moreover, the attacks you are referencing are only theoretical attacks that reduce the complexity of breaking AES from 2^128 to 2^100, still far out of reach for existing technology. They also require a very cumbersome security model where the attacker gets to observer ciphertexts encrypted under several keys that are mathematically related to the target key. This does not happen in real life.

    About this:

    It was designed weak with a large keyspace that intentionally produces weak keys if selected at random. Only a small subset of the keyspace has strong security.

    This is complete nonsense. No one has ever discovered weak keys in AES.

  11. Re:Business as usual by cryptizard · · Score: 3, Informative

    I agree that there is nothing wrong with AES, but there is also nothing wrong with wanting to use your own encryption if you are the Chinese government. They have their own extremely qualified cryptographers, we are not talking about some guy in his basement coming up with his own block cipher. If the situations were reversed and the Chinese government had invented and standardized AES, there is no way the US government would use it even if every academic in the world said it was secure.

    The Chinese block cipher is called SM4 and its algorithm is publicly available. It is a pretty standard Feistel construction, if it is truly vulnerable then people will discover that and then everyone will know. That is how science works.

  12. Re:Business as usual by TechyImmigrant · · Score: 3, Informative

    What makes you think this is about AES and what makes you think the algorithms that China wants to use are not superior to the NIST options?

    In the case of hashes, the Chinese options are simply better both in terms of resistance to known attacks and implementability and come courtesy of the professor who broke SHA-1, who is Chinese.

    NIST fucked up royally with SHA3, putting it up to a popularity vote. The Europeans turned up at the meeting in strength and voted for the home team. It had nothing to do with the algorithm. Hence the adoption of SHA3 in hardware is going nowhere. We wanted a new hash, not a license to waste gates and power.

    There was an interesting dynamic at ISO SC27 WG2 a couple of years ago, where the Chinese (literally, the proposals come from nation state delegates) hash proposal was presented, along with a proof of why all the SHA were fucked and why the new structure dealt with it. At the same meeting, the NSA were there presenting Simon and Speck block ciphers for adoption by ISO (which are superb ciphers from any way you look at it, far superior to AES or SMS4 in implementability and at least as secure in security). The crows were having none of it. All comments were of the form "You're the NSA and we don't trust you". Keep in mind the comments are coming from representatives of governments. not individuals. I am not a US citizen, but I was a US delegate.

    China has a legitimate reason to dislike some of the NIST crypto options and legitimate reasons to prefer their own.

    If this was open source people would be happy that you could use your own choice of crypto algorithms. Microsoft would be better off making the crypto plugable in windows for the rest of us, not just the Chinese government.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.