Microsoft Announces 'Windows 10 China Government Edition', Lets Country Use Its Own Encryption

At an event in China on Tuesday, Microsoft announced yet another new version of Windows 10. Called Windows 10 China Government Edition, the new edition is meant to be used by the Chinese government and state-owned enterprises, ending a standoff over the operating system by meeting the government's requests for increased security and data control. In a blog post, Windows chief Terry Myerson writes: The Windows 10 China Government Edition is based on Windows 10 Enterprise Edition, which already includes many of the security, identity, deployment, and manageability features governments and enterprises need. The China Government Edition will use these manageability features to remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates, and to enable the government to use its own encryption algorithms within its computer systems.

Windows 10, as it should have been.

Controlled updates, managing all telemetry, and rolling your own encryption? Where can I buy this magical product?!?

Can I have a copy.

"remove features that are not needed by Chinese government employees like OneDrive, to manage all telemetry and updates"

Excellent! Where can I get a copy?

Re:Can I have a copy.

Sure they do, but the market for your data is much better. Also, people bitch a lot but they keep buying Windows, so why would Microsoft care what their users think?

Meanwhile

[kkoo]

Everyone else continues to use Microsoft Windows 10 US Government Edition.

Re:Business as usual

[jellomizer]

But who is the totalitarian government? China or the United States?
Being that the world is recovering for a wide spread ransom ware attack caused from an long time "unpatched flaw" used by the United States National Security Agency. It would make sense for a government such as China to try to protect its data with its own "security measures".

I am not being naive in not bringing up that China will probably have an encryption algorithm with a back door so the government can weed out subversives. However chances our our counties being the United States, United Kingdom, Canada, Germany, France... Are not agencies of good and riotous, but have a complex set of national needs to protect order.

While I am sure profit was Microsoft big factor, however there is also a general global self interests to make sure the world stays up to date in software. Being that Windows is so dominate world wide not caving in for this case, would mean China would use outdated hacked versions of Windows, with their spying happening anyways. At least with Microsoft having some control, the fact that the Chinese Windows 10 has Government Encryption will let subversives to know what not to use.

Re:Enable The Government To Use Its Own Encryption

[James+McGuigan]

"enable the government to use its own encryption algorithms"

This would either imply one of two things (or both):

1. The Chinese Government wants to install encryption backdoors in its own systems, to prevent employees from keeping secrets from it.

2. The Chinese Government is worried that the US government has installed encryption backdoors in the standard algorithms and wants to enable its employees to keep secrets from the US government

Re: chinese government

[Miamicanes]

> It's funny that people don't realize that

> MS's holds the master encryption key,

> which they'll happily share with whomever pays the most ... or any court that orders them to.

  That said, Microsoft has UNQUESTIONABLY taken steps to limit the scope of any one court's or government's ability to compromise that master key by using it to encrypt sub-keys used to encrypt sub-sub-keys used to encrypt the *actual* key they'd have to reveal.

Example: a new installation of Windows generates a 256-bit salt (probably derived from the license key or GUID) & stores it locally, then communicates it to Microsoft (who also discerns the country). Microsoft computes the sha256 hash of that salt plus their own sub-sub-key, then repeats it a million times with the output of the previous hash in place of their sub-sub-key. They then communicate the final hash back to the newly-installed Windows, which securely stores a copy & uses IT as its master key going forward. If a future court demands the key, MS obtains the salt from the computer in question, re-derives the key, and shares THAT with the court. Salt unobtainable? Mathematically-impossible to re-derive the key in any sane amount of time. Key revealed? The court can now decrypt THAT computer, but no other. If push came to shove, Microsoft shares the sub-sub-key(s) for that jurisdiction plus the algorithm, and tells them to have fun.

The important point: the master key ITSELF is stored in pieces distributed across multiple jurisdictions, INCLUDING Russia and China... the likelihood that they'd ever act in union is approximately zero. So the US might be able to compel Microsoft to disclose their "US" sub-key(s), and the pieces of the master key that US courts can order the disclosure of, but it would NEVER be able to obtain the complete global master key.

It sounds like in this case, Microsoft has basically generated a new master key for the China-Government edition, delegated responsibility for its safeguarding to China, and washed its hands. It has no implications for non-Chinese users, unless you're using a pirated Chinese-Government copy (which, in all likelihood, will have so much malware added by whomever made the pirated copy available, the theoretical ability of China's government to decrypt it would be the LEAST of your real-world problems).

Totalitarianism

[XXongo]

I have to remind you that "totalitarianism" is not a synonym for "a government I don't like", nor even "a government that does despicable things."

It is "a system of government that is centralized and dictatorial and requires complete subservience to the state."

The US does not (yet) assert total control over its citizens, although some political factions might like to go in that direction.

this should be a clear message to ALL of us

[evolutionary]

Okay, if the Chinese Government required a special version of this Windows to run in their country, then something stinks about it. Like the data collection and invasive controls that windows 10 possessed from the get go. Doctors, Lawyers, Accountants or virtually anyone handling confidential information need to be paying attention. The very use of Windows 10 in their work violates client/patient confidentiality. (as it sends file header + other potential information possibly not revealed yet) to MS and from their to the US Government. IIn the movie "Bridge of Spies" I remember Hank's line to the CIA agent "We are not having this conversation" concerning a spy he was representing.

People may brush this off in the USA but countries in other countries potentially doing international business, scientific research, or many other things may not their information going to a foreign power. We weren't exactly thrilled when NASA emails wound up being copied to China with a simple DNS availability message boost (we have since corrected, THAT was scary). Windows 10 is and has always been a trojan in it's very conception and we all need to say "No". Windows 7 or Linux, possibly Apple (but I'm not sure I trust them with their iron grip policies particularly on their Iphones) are perfectly user friend/usable solutions.

Those In the Medical profession, I know many hospitals/doctors are stuck with Windows-only drivers/software packages but the medical industry is going to have to make some serious choices: either publicly tell the world their information will go the US Government/Microsoft (for possibly sale) or the medical community will have to demand drivers//software versions that are Linux or Mac compatible. Some are staying on Widows 7 for this reason, but MS had is trying to pressure everyone to go to Windows 10 either by withholding critical updates (they did patch XP for the NSA contributed ransomware so clearly some mandates there) or possibly through other means. (remember, they did start by force feeding which got a public stick) There could even be legal implications for lawyers and medical professions that could be violated here. Hopefully we'll start getting the message soon. It's becoming a not so brave new world.

Re:Business as usual

[cryptizard]

Also read about the first 6 rounds of AES which were "solved" by someone. If the first 6 rounds have been broken, the rest isn't far off.

Terrible leap of logic here. There are lots of things that are easy for the first few iterations and then grow exponentially in difficulty. Take this anecdote about Ramsey numbers for instance:

Erdos asks us to imagine an alien force, vastly more powerful than us, landing on Earth and demanding the value of R(5, 5) or they will destroy our planet. In that case, he claims, we should marshal all our computers and all our mathematicians and attempt to find the value. But suppose, instead, that they ask for R(6, 6). In that case, he believes, we should attempt to destroy the aliens.

Moreover, the attacks you are referencing are only theoretical attacks that reduce the complexity of breaking AES from 2^128 to 2^100, still far out of reach for existing technology. They also require a very cumbersome security model where the attacker gets to observer ciphertexts encrypted under several keys that are mathematically related to the target key. This does not happen in real life.

About this:

It was designed weak with a large keyspace that intentionally produces weak keys if selected at random. Only a small subset of the keyspace has strong security.

This is complete nonsense. No one has ever discovered weak keys in AES.