MS response to NSA key backdoor in Windows

CitizenC writes "Microsoft has responded to the report of the allegations of leaving a backdoor in all of its products for the NSA. "

Re:NSA Key "unfortunate naming"

[sjames]

Either their explaination is a lie or they're dumber than I thought. Think about it...

If you're worried that you might loose your car keys, do you install a special lock and have two different keys, or do you just have a duplicate key made?

Stupid MS web server has bugs again...

[newt]

What I get when I follow the link in the slashdot article:

Microsoft VBScript runtime error '800a000d'

Type mismatch: 'CInt'

/security/inc/scripts.txt, line 279

Great. Enterprise-class reliability, huh?

-----

Re:Problems in M$ statement

[G27+Radio]

hmm, it sounds to me like they're saying "Yes, the keys exist, but No, M$ isn't going to give it to the NSA."

Does Microsoft have a choice if the NSA requires them to give up a key?

Something still stinks...

numb

Re:Problems in M$ statement

[sjames]

Considering that it's easy to just hexedit a new key in, that makes little sense. Besides that, you couldn't effectively revoke the old key since a great deal of crypto modules would depend on it, and the users would likely just ignore the 'upgrade'

Re:seems to me they admit it

[swann]

from the microsoft page:

http://www.microsoft.com/security -->

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Re:Once and for all - not a back door.

[Mike+Hicks]

Well, yes, this means that there are two keys that you can use to sign things (and three in Win2k). However, why Microsoft would need more than one is beyond me.. For that reason, I would call it a backdoor. (Not that the normal system appears to be very safe anyway..)

I don't know if the so-called "NSA key" has actually been supplied to the NSA, or even if Microsoft takes much care to look after it. Unfortunately, each key that Microsoft adds will make their operating systems less secure..

Re:Backup key? -- With proper procedures

[SEWilco]

The primary keys can be copied to backup locations with several methods. The first step is the one which Coca-Cola is known for: Break the secret into pieces and store the pieces separately.

If each backup of the key is in eight pieces and in eight different places, there is a backup but stealing the backup is much more difficult. Proper procedures would involve a variety of protections, such as banks with no corporate relationships, vaults of different types, and differing attack types required. For example, a key piece inside a clear jar embedded in plastic hanging from the ceiling of the lobby of Microsoft headquarters would require a different theft method than the key pieces in safety deposit boxes, or the key piece tattooed on a director.

A key can be backed up in ways which make it difficult to reassemble, but the key can still be secure while it is backed up. Particularly if the backups were also encrypted so a piece is even less useful...and the key for the backups does not need as much security as the backups themselves so one does not have to repeat this process ad infinitum.

Re:Followup

[Hawke]

Time for the court order to open the source! The truth is in there...

Nope. The source will just tell you what we already knew:

• There are two keys that can verify crypto modules
• One of them includes the three letters "NSA" in the variable name

To find out why there are two keys we would need to ask the people responsible. The answer to that is not going to be in the source. (Maybe a comment might have the answer to that question, but in my experience things like that generally are not commented.)

Someone later down said that MS must be hiding things if they stripped out the variable names. Well, if I may use hyperbole to make my point, All commercial releases of everything strip out all variable names! The weird thing is that they forgot to on one service pack, not that they did before.

let's think it through, people

[wmeyer]

If MS has placed one or more backdoor entrances in Windows, whether for themselves or for NSA, can we really expect them to give a straight answer in public about that is clearly a matter of security?

Of course they deny it. If they acknowledged placing such keys, they would embarass themselves and the NSA (and would then have to concoct some new scheme for the future.)

By definition, public statements regarding security issues are suspect.

Re:Problems in M$ statement

[norton_I]

But if you overwrite the NSA_KEY with a key of your choosing, you can then insert cryptographic modules signed using *that key* into WinX, and use strong crypto not authorized by MS (ie, outside the US)

Re:An Honest Question

[norton_I]

Well, Windows Domain Controllers use password encryption. If you managed to insert a bogus crypto module for that mechanism, you could probably hack into any machine on the network.

Can it be broken?

[looking]

NSA key or no NSA key, Microsoft and it's customers would want to be worried if the key could be cracked. Could it be done? Perhaps distributed.net style?

Very interesting

[wampus]

The following is a cut-n-paste of MS's response

---
Microsoft VBScript runtime error '800a000d'

Type mismatch: 'CInt'

/security/inc/scripts.txt, line 279
---

I don't know how anyone could argue with THAT.

Re:Very interesting

[Tony-A]

So True. The nerds that don't hate MS are using Linux, *BSD, etc. Those lucky nerds can ignore MS. The nerds that hate MS are using NT or even worse 95/98.

Re:Very interesting

[darquraven]

I certainly agree. That's the most compelling thing I've read all day!

Re:Very interesting

[dattaway]

Nice response to a security problem. It looks like obscurity to me.

Re:Very interesting

[Ludd+Kilken]

I assume you use Lynx. microsoft.com/security is built not to work with Lynx. Netscape will do it but it might require a reload. I assume MSIE works perfectly. This pisses me off. >:P

Could someone be a dear and post this page to slashdot?

Re:Very interesting

[Twigg]

Not the Internet Explorer that ships with NT4; IE2 can't pull up _any_ pages inside the Microsoft domain. This is just pure incompetence; this is all _server-side_ and there's no reason why it should matter what browser you're using. I mean, shouldn't you have a default case in your if-then-elses that catches the _other_ browsers and sends back normal HTML? Hmph. MS has some really clueless web coders working for them; I've met a few.

Re:Backup key? -- No, really, they are right

[norton_I]

But, if one key is compromized, MS can authorize a patch to replace all modules with ones signed by the other key, and remove or replace the compromized key. Assuming the bad guys don't get to you first...

Re:Problems in M$ statement

[ocie]

anyone with any sense keeps something as sensitive as a key for 80m machines in a tamperproof hardware device

I would even go further and say that the computer with this key is not only tamper proof, but has no way to get the key in or out of it. Imagine that you have a computer that will cryptographically sign whatever data you send to it over a serial line. It could also be prompted for its public key, and would return this to you, but under no circumstances would it divulge the private key.

This means no backup, no restore. When the system arrives, you plug it in and it uses some internally shielded noise source to generate its key. Any attempt to physically remove this key would result in the system clearing this memory.

NSA Key "unfortunate naming"

[the_tsi]

I'll buy that. I dislike MS as much as the next guy, but look at the other acronyms they use and how they conflict with other organizations/standards/etc. I had a suspicion of this when the article was first posted. Of course, there IS no way to determine if they're telling the truth or not... :)

-Chris

Re:NSA Key "unfortunate naming"

[sjames]

If MS used only one key, it would be impossible to change it when it was compromised, but with two, you could use one to change the other.

But as the press release pointed out, it is possable for anyone to change the key now. They gained nothing from two keys, but they enabled the installation of any unapproved crypto. All the installer needs to do is quietly patch over the second key. If there were only one key, it would be much harder.

Of course there is the maxim: "Never attribute to malice what can be explained by stupidity". In the case of MS and US govt. I can certainly buy the stupidity arguement.

Re:NSA Key "unfortunate naming"

[miscellaneous]

But if that's Microsoft's reasoning, then why didn't they say that, instead? And since they didn't say it, doesn't it seem somewhat less likely that that is their reason?

Re:NSA Key "unfortunate naming"

[MindStalker]

Of course, there IS no way to determine if they're telling the truth or not... :)
Well sure there is, if we could reverse engineer it back to source code, put out own key in it, recompile, then try to break in using that key. Only problem is the legallity of such an action, not the mention the difficulty in successfully recompling it. It would still be arguable either way afterwards.

Re:NSA Key "unfortunate naming"

[kevlar]

Why reverse engineer it and insert your own key, when you could have a distributed.net project to brute force the original public key?

Re:NSA Key "unfortunate naming"

[mwillis]

Rather than recompile - just hexedit the NSAKEY to something of your choosing. I think the Cryptonym folks refer to this as "removing the NSA".

Re:NSA Key "unfortunate naming"

[[l0l]Bobo]

Look at the other acronyms they use and how they conflict with other organizations/standards/etc

You didn't read MS's response. The NSA in "NSA key" actually means National Security Agency. Microsoft did not deny this, in fact they say so themselves. What they're trying to get us to believe is that it is called that way because the second ("backup" as they say) key was required for the NSA to approve the code, but it is not for NSA's use, thus the name. Yeah, right.

Re:Problems in M$ statement

[Zico]

You need a backup (and I believe that the NSA requires it by law) so that if the first key ("key #1") needs to be revoked, you use the backup key to verify the new "key #1" that you receive.

Frankly, I'm seeing a lot of paranoid posts in this thread without a lot of thinking being done. If Microsoft wanted the NSA to have a backdoor, they could just give them a copy of their own private key -- they wouldn't need to write a special new one.

To put a compromised key on someone's system, you need to get administrator/root access. If someone gets administrator/root access on your box, they could do anything they damn well wanted to anyway, so what's the big deal?

Cheers,
ZicoKnows@hotmail.com

Followup

[wampus]

And a followup:
---
The page cannot be displayed

There is a problem with the page you are trying to reach and it cannot be
displayed.


Please try the following:

Click the Refresh button, or try again later.
Open the microsoft.com home page, and then look for links to the
information you
want.

HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services



Technical Information (for support personnel)

Error Type:
Microsoft VBScript runtime (0x800A000D)
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279

Browser Type:
Mozilla (X11; I; Linux 2.0.32 i586)

Page:
GET /security/bulletins/backdoor.asp

Time:
Sunday, September 05, 1999, 7:45:07 AM

More information:
Microsoft Support
---

Seriously, anyone got a mirror without all the active server bullshit?

Re:Followup

[wilkinsm]

Here is a quick cut and paste of the main frame of the bulletin for you non-asped people. I know that we are not supposed to mirror, but I think of this as more as an "accessibility update". (Sorry, Geocities is slow today)

Personally I bought the idea that perhaps NSA wanted a means to install super-strong encryption into Windows without going through Microsoft. Now I think they are downright lieing. Time for the court order to open the source! The truth is in there...

Re:Followup

[PurpleBob]

Hey! I'm not non-asped! I use Lynx and Netscape about equally, so I'm at least half-asped!
Oh wait, that didn't sound any better.
--

Oooops...

[Simba]

Looks like Word 2000, or whatever the M$ droid used to write that has a few bugs too. (shocking)

"... been suggested by the government, because we because we don't believe..."

Must be one of the Windows programmers... ;-)

Thats just swell

[Roofus]

But they failed to mention whether it was possible to compromise windows security by replacing the backup key with your own. On the other hand, this is the first document I've ever seen from MS that doesn't contain snippets of propaganda everywhere.

Re:Thats just swell

[zyklone]

I don't see how even they could have turned this issue into propaganda but anyway, i still wonder why the key can be overwritten ..
The NSA is probably not to happy about that even if it is their key.

I guess we know it's true

[FascDot+Killed+My+Pr]

Rather than let the truth get out, the NSA used their backdoor key to get in the take down the MS server....

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279

---
Put Hemos through English 101!
"An armed society is a polite society" -- Robert Heinlein

Re:I guess we know it's true

[dattaway]

Anyone have a working mirror of Microsoft's response? Their software seems to not be working.

Re:depends on the meaning of words

[sherms]

What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.

**Note the above comment made by microsoft is very specific. To specific. Were it refers to start and stop security services is deceptive. Whith the key they may have it may totaly bypass the security. Does any one know this for sure?

Thanks Sherm

NDA with the NSA?

[jelle]

We could conclude that they (MS) are telling the truth and we are too suspicious. But then again, maybe not. It has been said that "being paranoid doesn't mean that you're not being followed"...

Possibly, Microsoft can not admit to having installed a backdoor simply because they are required so by law, and/or by a non disclosure agreement.

I know one thing, this smells fishy and just inforces my personal preference for Netscape or even better, open source Mozilla (btw, when will Mozilla finally give us the final gecko)?

Problems in M$ statement

[Cironian]

a) They claim there is a second key so it can be stored at a different physical location for disaster recovery. Why not just make a copy of key #1 for that?

b) If the 'NSAKEY' was really harmless, why did they in previous version remove the symbol for it (but not for the other key)?

Re:Problems in M$ statement

[ocie]

I hadn't even thought of that :) I was tied up in thinking why you couldn't just have a backup. I mean, what if someone stole one of the backup tapes and started releasing signed copies of BO :):):):):)

Re:Problems in M$ statement

[E-Rock]

I agree completely with point B, bad name. As for point A, if these keys will allow nyone with them to compromise system security, as we can see it does with the demo distributed in the original report, it'd be really bad news if someone else got a copy. Therefore I can see why there wouldn't be backups all over the place, also if the key in your version of windows was damaged the backup would prevent you from having to reinstall (always a good thing for me).

As for the NSA, they are evil, sneaky and powerful, so i can't believe Microsoft on this one. But I fully believe that even if the NSA isn't given a copy of the key, they could easily derive it. (PS. That's easily for them, not that it'd be easy to do)

Re:Problems in M$ statement

[Cironian]

You say, you can see why they wouldnt have backups all over the place. But isnt having 'KEY' at M$ and 'NSAKEY' at the secret MS-Vault 99 just as safe/insecure as having 'KEY' at M$ and another copy of 'KEY' at the second location?

Although as easy as it is to hack into MS systems, I suppose the NSA key might rather be for NSA internal usage; that way they could sign crypto modules that they dont want anyone else to see.

Re:Problems in M$ statement

[QuoteMstr]

Perhaps this was implimented by such an agent without the knowledge of his or her superior.

Yes another reason why OSS is better.... peer review. This could never happen without an extroadinary amount of effort on the part of distributors of tained binaries.

Re:Problems in M$ statement

[QuoteMstr]

Why doesn't M$ simply compile a custom version with the NSAKEY for the NSA, then? Why include the NSAKEY is *every* copy of Windows?

Re:Problems in M$ statement

[blogan]

OK, let's say that they are storing the primary key in one place (Which I don't believe). Wouldn't that mean that they are storing the backup key in one place? So two natural disasters would basically stop development of secure software for a majority of the world's computers? Granted, the chances are small, but still large enough considering the consequences.

Re:Problems in M$ statement

[meridian]

>The NSA would want and could get their own special edition. >this functionality would have been publicized. >Completely secret (private special edition) or >completely public (hey, kids, try to break >this!) makes sense, but this intermediate state >does not. I think your missing the point. the idea behind the paranoia is that nsa's public key would be stored on your computer and not be "publisised" as the debug symbols for it were never previously relesased except in only 1 service pack. Only then is it possible to see the name of the key in the first place. While the debug key was previously released for the "first" key not labled as being the NSAKEY (according to a previous post) This means the NSA could potentially encrypt information with their public key stored on your computer and send it back to them so they can decode it with the private key which only they would have. And this could possibly be sent back to ms "somehow" possibly (see information i gathered which was sent by someone to NTBUGTRAQ recently) using something most peiople wouldnt be looking for carefully like multicasting data, which presently is sent out by windows both during windows install and afterwards to MICROSOFT-DS.MCAST.NET. This has also been noticed by others in winnt4 Also if the data being sent out would then be encrypted so you would not know what is being sent. this is obviously at the far realms of paranoia but jiust because you/i am paranoid does not mean that it is not warranted meridian me@tha.net

Re:Problems in M$ statement

[um...+Lucas]

SORRY - I posted this the other day, but it seems appropriate to repost:
------------------------------------------------ --

PREFACE THIS WHOLE STATMENT WITH: "If the key does belong to the NSA..."

It is probably due to laziness on Microsofts part, or due to their marketing drones... I seem to recall the same thing occuring a few years back with Lotus Notes... The domestic version used 64-bit keys, while the "for export" version used 40-bit keys plus a 24-bit NSA key... The end result being that anyone interested in the data would face a 64-bit key (probably considered unbreakable a few years ago) while the NSA would only need to crack a 40 bit key (been breakable for quite a while)... This only applied to the exported versions, though.

Microsoft, in their marketing wisdom, probably chose not to have a domestic version and an exportable version, so as not to taint buyers of the exportable version with notion that it had easily defeated security. Therefore, they kept quiet about it, and did what Lotus did, but for their entire product line rather than just the part that was destined for sale outside the US...

I'd be much more angry with MSFT than the NSA... It's their (NSA's) job to collect information and spy, it's up to the people, businesses, and our gov't reps to try to

Re:Problems in M$ statement

[os10000]

on sci.crypt was a message saying that anyone with
any sense keeps something as sensitive as a key
for 80m machines in a tamperproof hardware device.
Thus, if you got an earthquake or thunderstorm,
that device might interpret the environmental
factors as an attempt at breaking it and respond
by self-destructing. This would explain why a key
could get lost. I do agree, however, that they
could stick the same key into two such devices.
Also, I would not overwrite the NSA key with junk, but rather with the first key.

Re:Problems in M$ statement

[Eric+Smith]

a) They have a second key as a backup, in case the first key would get compromised (such as being published by a pissed off M$ employee for example, or more likely, being cracked by some guys at l0pht :).

Since they don't appear to have a key revocation mechanism, the second key does not serve any useful "backup" purpose relating to a compromise of the first key.

With the second key they could sign some update which installs yet another new key.

Or, with the first key they could sign some update... Again, this doesn't justify the second key as a "backup".

Re:Problems in M$ statement

[_dim]

a) They have a second key as a backup, in case the first key would get compromised (such as being published by a pissed off M$ employee for example, or more likely, being cracked by some guys at l0pht :). With the second key they could sign some update which installs yet another new key.

b) I guess some bozo at M$ just forgot to strip the release executables, nothing more.
--

Conspiracy Theory

[The+Famous+Brett+Wat]

1. For many reasons, Microsoft's excuse looks really lame, so let's assume it's a smokescreen.
2. This being so, the so-called NSAKEY would indeed be a key owned by the NSA.
3. We must then ask why would Microsoft allow the NSA a key and also deny the NSA's involvement?
4. It would seem fair to assume that Microsoft would not assist the NSA without compelling reason.
5. This raises the question as to what that compelling reason might be. Some sort of reward?
6. If we assume that Microsoft's cooperation is motivated by self-interest, what kind of benefit can the NSA offer Microsoft?
7. It is known that intercepted data is sometimes used for purposes of industrial espionage rather than just military intelligence.
8. Microsoft could benefit from spying on the R&D projects of overseas companies, so this is a plausible means of the NSA gaining their favour.
9. This raises the question as to why the NSA would care about Microsoft in the first place.
10. Microsoft's success will lead to an even greater penetration of their products -- products which we assume have at least one NSA-requested feature. It is in the NSA's interests for this software to be widely used.

Based on this line of reasoning, we could paint the following picture of the hypothesised cooperation between Microsoft and the NSA.

1. The NSA benefits by having a widespread piece of software with certain "features" (and a general lack of security anyhow), such that it simplifies their job of further information gathering.
2. Microsoft benefits by receiving industrial espionage data from the NSA with regards to (presumably foreign) companies.

Don't you hope I'm wrong? It's just too sleazy for words.

I don't buy it

[QuoteMstr]

The "we had to create a backup" approach works with a physical, tangible object, but with something as easily copies as a set of bytes, there is no excuse to create a second key. The first key could have been copied as many times as the first and second keys combined.

P.S. It's draconian for the NSA to limit what you could insert into an existing cryptogroaphy framework... even if that module is developed outside of the US! Pathetic.

P.S.S. I would have named such a key "Checkkey", "BackupKey", or something similar. NSAKey is simply too suggestive to even risk putting into a piece of code.

Re:I don't buy it

[mclinc]

True, Why would the 'backup key' survive but not the primary one? Whats more likely is that it will double the time it takes to crack both keys.

And lets face it, its going to be much more fun
cracking these keys cf. the RSA des/RC5 chalenges.

Maybe the bovine lot would care to host such a distributed microsoft attack?

The keys are probberbly copywrite anyway (can you copywrite a key?).

Has anyone extracted the keys, are they plain old des/rc5 or are they something MS/odd?

Re:I don't buy it

[QuoteMstr]

What do you mean, "erase the keys througout the sysetm in one felt[sic] swoop"? rm -rf /? That's always a danger? I'm talking about having this key on multiple systems. Say... bill gate's person supercomputer, his flea's Athlon 650, and, of course, the omnipotent NSA. Creating a different key for each of those systems and hardcoding it into Windows (2k) only serves to reduce the brute-force key difficulty to 1/3 below nominal. That's like creating a version of *n?x that had two roots, "Bob" and "root", both without passwords. If you know one, what difference does it make whether you know the other? If you know both (as M$ does), what difference does it make whether a user hacks out one of them? A user is twice as likely to guess either "Bob" or "root" at the login prompt that he is to guess "root" alone, anyway. Say, for the sake of argument, M$ only does store two keys, one in Seattle, one in Redmond. Say Redmond is hit by an ICBM which happens to be targetted at the Microsoft building. M$ has now lost key #1. If they have key #2, they can continue to produce CryptoAPI modules. However, if they still have another copy of key #1, there is no difference!

Of course, it would be asinine to store only one copy of each key.

So, in short, having two keys allows:
1. No increase in security or reliability
2. An increased likelyhood of the key being cracked by brute force.

-----

Re:Remember Key Escrow?

[spooky+ghost]

The original [British] government bill on electronic commerce required a third party to hold a key for any encrypted message - ie key escrow. I recall a certain large software company strongly endorsing the proposals...

No matter what it looks like, there isn't a .sig here.

Let's see the SOURCE!!

[QuantumG]

Hey Microsoft, there's one way you can prevent any further accusations, show us the source! If you have nothing to hide then fork up the source to your accusers and say "check it pal, no back door" or are you afraid of what they might find?

Re:Anyone buying this?

[chrisbtoo]

> What grammar issues?

In the sentence "Microsoft does not leave 'back doors' in our products", the word "does" is the third person singular form of the verb "to do", whereas "our" refers to the first person plural.

Well, you did ask.

Re:Oh, so different from HedHat

[Al+Mann]

1) Never implied other firms did not put
broad disclaimers on their sites.
2) Specifically noted that it was a
boilerplate disclaimer.
3) Protecting oneself from random litigation
is reasonable. Making assertions about
how one treats customers and then
stating your assertions have no meaning
is simply amusing.

Re:die ms, die jarjar, just die everyone

[duder]

This dude is asking for trouble- the topic has nothing to do with linux. I would like to see more of his poems(?)/songs though

Re:Backup key? -- With proper procedures

[bogado]

This scheme would be even safer then a backup key.

One could argue that if someone steals one piece of the key, this person would be able to eliminate all keys that don't have that piece from a brute force atack. To solve this, the key owner could create a simetric key to encript the backup key divide it and store it in pieces with the backup key, by doing this it makes harder for a person who steals one piece of the key to get info about the final key. Only when one steals all the pieces he would have the key to decript the backup key.

Since kripto-keys are basicly random numbers a force brute trying to decript onr piece of it would be useless, since the atacker won't have a way to check if the key is decriptet or not.

--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"

Re:People, let's calm down

[JonK]

s/Unix/VMS/g (I think - my sed's a bit rusty)
--
Cheers

Jon

Re:Not exactly so...

[kijiki]

ONE LAST TIME. symmetric and asymmetric key lengths are totally different beasts! a 512bit asymmetric key being cracked says very little about 128bit symmetric key security. Please learn about cryptography, since you KNOW you can't trust companies or the government about it.

Re:Rather sloppy for M$

[Syberghost]

"grammar"

You do realize that it's impossible to write a post criticizing someone else's use of language without misusing language yourself, right?

_NSAKEY?

[schnogg]

Why is it called NSAKEY whynot like WEHATELINUXKEY or something. Besides if the NSA reviews it for compliance, doesnt that mean that they have it?

Re:_NSAKEY?

[jflynn]

According to MS's story, they reviewed the software and requested a backup key be added. No one says if they reviewed it again after it was added. I suspect if they had, they would have requested the _NSAkey name be changed, but as someone noted, they're human too.

It's not even certain they had the sources when they reviewed it, though I would hope that is required. Even then the sources only get you the public portion of the keys, not the private portions, which is why it isn't a problem that these keys were found in the binaries a year or so ago. It might be reasonable to assume that MS had a "debug" key in place then for NSA's use in review, as they do now with W2K, so NSA wouldn't need to have the "real" keys to test the software.

All that said, if they don't have a key, they can get it anytime they want it -- they're the NSA and this is a matter of national security, at least in the government's view. They are skilled enough to steal it, or have muscle enough to demand it, as they wish.

My guess is that they are really unhappy about the fact that the second key can be replaced to allow strong crypto to be loaded, and would prefer the _NSAkey had never been.

-paranoia on-
Suppose we've got it backwards and changing the second key indeed allows normal boot, but also triggers sending info to the NSA? I'm sure many enquiring minds with disassemblers are looking into these things :)
-paranoia off-

Re:MS: "We do not share out keys with NSA..."

[Simon+Hibbs]

So what? Suppose the NSA did demand that Microsoft
surrender their keys? This has not appreciable
impact on the security of Microsoft's customers
whatsoever.

The crypto keys are purely signature keys used to
verify the authenticity of crypto modules loaded
into NT. They do not provide any access to
material encrypted with these modules.

I realy don't know what all the fuss is about. There
are enough genuine reasons to dislike MS products without having
to invent spurious ones based on a foolish and naive
missconception of the technology involved. I just damages the credibility
of 'the cause'. (however you define it)


Simon Hibbs

Nice Response

[X-Usagi]

They may have responded like its no big deal, yet if all they said is true, the keys are still there! The CSP's they speak of could have been handled through another method, and surely not as inconspicuous as they are now.

Secondly, how can we know the validity of their arguments? For an example one must merely take a look at BackOrifice.

Once again I feel even more secure staying in my safe Linux environment, I have access to the code and that is great leap above and beyond anything that Microsoft can offer me.

Re:You don't make backups

[S_hane]

You're right - the NSA DOES have some clue in regards to information security - and this IS why they "offered" the advice....if you get my drift?

It's patently obvious that the Microsoft response to these allegations doesn't cut the cheese. Why have a backup key if a backup copy of the original key would be just as easy to store?

Equally, arguments that say M$ has a second key in case of compromise of the first don't hold any water - why didn't microsoft just say this was the case?

The NSA's concern with information security is that everybody else's information may be too secure...hence the NSA_Key solution!

-Shane Stephens

Lets trust Microsoft.

[Bowie+J.+Poag]

Far be it from Microsoft to LIE or anything.


"Its not a car. It is merely a steerable metal box with four wheels and an engine, nothing more."


Bowie J. Poag

Re: "unsupported" browsers

[hany]

once upon a time i was reading some pages at www.microsoft.com with my netscape on my linux box. pages were related to DOJ vs. MS law-suit. there were (on MS' pages) also possibility to write my opinion about the case.

so i wrote it and submitted.

but submission failed. it failed more than once. to be more precise, i tried 4 times and it failed 4 times. (error: Microsoft VBScript runtime error 'XXXXXXXX')

so i take action based on info from error page: go to another page and fill error report.

error report asked about lots of things but two of them were OS and BROWSER.
i happily fill them with "linux" and "netscape".

error form submission failed too. i tried 3 times.

then i "corrected" those two fields to "windows" and "explorer" and - surprise - error form worked!

after some time some person from MS tech-support contacted me. so i repeated my original reports about errors in their forms.
i received reply: linux is not supported by us

i tried 3 times to make argument that such errors are not related to my machine or browser (only in case theire scripts are handling such info and are handling it with less success - which is again not my fault).
i failed.

what's the point?
maybe the only legitimate and truly meant "response" from microsoft is "runtime_error-we_do_not_support_that-internal_ser ver_eror-server_is_busy-...

Why even care?

[fizban]

Like the NSA actually needs a backdoor key to get into a user's computer system! What a joke.

Re:Believable? Nope.

[aidan+skinner]

Buffer Overflows are a result of a lack of bounds checking. This is a logic error. Logic errors are the one hardest error to detect in programming. The reason there are so many buffer overflows are because when you program, you dont

Buffer overflows could be avoided by using a language which has bounds checking built in.

- Aidan

When paranoia strikes...

[IMarshal]

More than a few of the people posting on this thread could use a nice chill-pill.

http://ntbugtraq.ntad vice.com/default.asp?sid=1&pid=47&aid=52 has a very reasonable outsider's perspective of what this issue is about.

Furthermore, there seems to be some confusion between CSP's and providers of authentication on NT. Assuming the worst possible case (e.g., the NSA can break everything encrypted via CryptoAPI), this has nothing to do with someone subverting LSA or kerberos and logging onto your system and reading or modifying your files.

In other words, you should really only be concerned if you're using the CryptoAPI to encrypt sensitive stuff. If you don't trust the CryptoAPI, then you can always use something unrelated, like PGP. But if your paranoia level is that high, then maybe even PGP has "backdoors" that you're unaware of...

Re:Umm.... it might as well be an NSA key....

[Nipok+Nek]

Um, have YOU ever heard of something known as SCOPE? Since the key is the same for EVERYONE, no single warrant would have the power to cover it, unless EVERYONE with Windows (either individually, or by inclusion) were named in the warrant. No judge in his right mind would sign a warrant that broad.

And while we are at it, what possible reason could be cited for the need to have this Key? It's not used to encrypt anything, just to verify the validity of an encription module.

MSFT's disclaimer - the fine print

[Al+Mann]

After reading the MSFT disclaimer at
the bottom of their comment on the
alleged backdoor, it is hard to
take anything they say seriously.

For those who didn't read the small
print, here it is:


September 03, 1999: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Now, this does read like standard lawyer
CYA BS, but when they're telling you to
trust them and following the statement
with an overarching disclaimer...well,
I don't have to be a crypto expert to
know *my* security is best served elsewhere.

Re:They be truthin' yous

[Nipok+Nek]

"We do not share them with any third party, including the National Security Agency or any other government agency." Who's the Second party? I don't remember getting a copy of the key. Bad grammar, or subtle wordplay?

Moft? flaky grammar?

[QueenFrag]

must be another "de-facto standard"

Re:Once and for all - not a back door.

[.pentai.]

Yes, that's right, it's for executable code.

But verifying and executing are two very different things. If you don't install it it won't run.

A secondary bit of interest in that...

[gmezero]

is this quote: "Sun has had run-ins with the NSA in the past. Two years ago, the NSA objected to Sun including encryption in the exportable version of Java 1.1. The end result was that Sun stripped encryption out of Java 1.1 and the software was delayed by about six months."

I remember this delay, and I don't remember Sun ever mentioning it was due to NSA related issues... which is fine, but what I do remember is that MS drug them through the mud over the delay!

Now, considering how everyone in the these circles usually knows what's happening to everyone else involved, I would say that it's a good bet that MS knew the real reason behind this delay, and knew that Sun wouldn't say anything, and took the opportunity to kick an opponent when he's down (not like they don't always do this), but somehow this BS from MS, never ceases to amaze me...

Sigh and yawn...

I see now

[Adam+Knapp]

Isn't Eschelon suposed to be doing industrial/economic spying for American businesses? The sort of arrangement you describe would fit in nicely to that scheme. Of course the compelling interest of Microsoft to obey the NSA might just be pictures of Bill Gates' micro-softy, or access to old-boy's networks at the DOJ and Federal Court system.

Re:An Honest Question

This is used to verify such things as Active-X and Java applets I believe. So now the NSA can sign things and you will run them. For the NSA to do a hidden redirect when you go asurfin would be pretty easy for them, I bet. Hence, it is a backdoor. It is a bypass of the security model (which, unfortunately, in based on the premise that you trust MS. Probably, you don't, but the NSA doesn't either.)

Re:deactivated...

[Mr.+Slippery]

The backup key is needed for disaster recovery.

Bullshit.

Ever hear of offsite backups? Or commerical key escrow? Or n of m data splitting techniques?

Either (1) this is an outright lie, or (2) Micro$oft doesn't know how to manage critical data. (And that's not an exclusive or.)

Nonsense. Really.

[jimfrost]

Microsoft's response indicating that the backup is there in case of disaster is simply nonsense.

The first thing that occurred to me (and others in this thread) was that you need only make copies of the key to safeguard against its loss.

Does it really seem likely that Microsoft has only one copy of a key on which their software depends? Not bloody likely. There must be redundant backups. Furthermore the key is probably not stored exclusively in some super-secret place; they need it to generate new builds, a process done on a daily basis. That means that the release engineering team has access to it and you can bet that they're not walking over to some ultra-secret building with the build bits every day.

It makes sense to have a developer key (though it should really only be used in internal builds), but the only way it makes sense to have a second production key is if it belongs to a second party. There is no additional security provided by having a second key that wouldn't be provided by having backup copies of the first key. In fact, it's more secure since two keys gives you twice the targets in a brute-force search for the private key.

So: I think we can take Microsoft's response as being pure bullshit. So why is the key really there?

Consider this new evidence in light of the recent request by the DOJ for the rights to surreptitiously monitor your computer system given a sealed warrant. Well, that key would make it a hell of a lot easier to insert evesdropping hooks, wouldn't it?

Now, aside from not being all that keen on companies selling my personal information all the time I'm not much in the way of a privacy nut. If they want to monitor my system, hey, it's their time and energy to waste. But don't ask me to believe bullshit "backup key" arguments. It ain't so, and you're insulting me by suggesting it is.

That key is there at the request of the US government, you can bet your last dollar on that. It gives them the ability to drop in a bug that can monitor any data manipulated via the crypto API. This is a better technological solution than key-escrow.

Now here's the way you can use this in your favor: build a software package that checks the signature of the crypto API against the different keys. If you have one that verifies against the so-named NSA key then you're not using the stock Microsoft package anymore. And wouldn't that be interesting?

Re:seems to me they admit it

[Markee]

I assume that the guys at Microsoft are paranoid enough to do code reviews on a regular basis. It is done in many major (and not-so-major) software companies to ensure code quality. As a side effect, if you are are a developer and you want to introduce a security hole (or even an easter egg) in the "operating system", you would a) have to know in advance who is going to review your code and b) cooperate with your reviewer so that he will look the other way at the right page of code.
On the other hand, there are plenty of easter eggs (up to entire litte game engines) inside the code for M$ products. This shows that it is possible for the M$ developers to hide significant portions of code from their management. So there is no technical but rather an ethical restriction on how malicious hidden code inside Windows can be.
Ergo, if there's enough really pissed developers who gather and introduce a backdoor into Windows, it could be possible.

Hey, wouldn't that be something? Let yourself be hired by Microsoft, gather the illoyal employees around you and ruin the product!

You can't ever be too paranoid

[um...+Lucas]

The FBI wants capacity to be able to tap 1% of domestic calls simultaneously.

European gov't complains about (and reveals the existance of) Echelon - a keyword scanning station.

In marrying those two, you end up with very impressive domestic surveilance capabilities. Agents no longer need to actually "listen" in on phonecalls that may or may not be deemed suspicious, as Echelon can monitor telephone, fax, email, etc... Probably merge all those results together and give a very detailed account of people, based on their insecure communications.

Nice typos

[scottward]

They must have posted this so quickly that the couldn't even have it proofread... Nervous? Probably...

Re:So... you think Microsoft SHOULD break the law?

[plague3106]

Well i'm sure they've already broken other laws...whats one more?

Re:They be truthin' yous

Incompentence is always credible from MS.

Threshold problem & key backups

[coyote-san]

Something just occured to me. Regardless of whether MS uses hardware or software encryption, it's possible to use the threshold problem to break a secret into multiple N pieces where any M are sufficient to reconstruct the key, but M-1 are not. (Not all hardware signers have this ability, but IIRC some do and it's a prudent precaution.)

That means that MS could take their primary key, apply a (7,4) algorithm on it, then put the pieces in a safe deposit box in Seattle, New York, LA, Boston, Atlanta, Denver, and Calgary. Any four pieces are enough to reconstruct their private key.

If four of those keys are unavailable at the same time, then Microsoft losing its private key will be among the least of our problems. No pair of cities, except Boston & NY, are within 1000 miles of the others so only an "extinction level event" would take them all out at the same time.

Conclusion: MS is blowing smoke. Either they're totally incompetent, they're lying, or they have a profound breakdown in internal communications. (The same options apply to the "advanced web programming" (HTML forms) comment regarding the hotmail fiasco.)

Come on... Required by law?

[Dwonis]

You need a backup (and I believe that the NSA requires it by law) so that if the first key ("key #1") needs to be revoked, you use the backup key to verify the new "key #1" that you receive.

I can see why Microsoft would want to do this, so they don't have to spend millions on a worldwide upgrade of all windows systems (like the Pentium bug), but why would this be required by law? There is no element of "national security" of any interest to the NSA in this, unless there's something Microsoft is not telling us.

We probably found something, but it isn't what we think it is, so Microsoft is trying to create a diversion so put us off track by pretending the key is only used for CryptAPI, when really it is being used for other things as well. Someone should really see what else this key can be used for.
--------
"I already have all the latest software."

Cool!

[Zico]

I've got my very own stalker! I finally hit the big-time, ma!

Cheers,
ZicoKnows@hotmail.com

All modules are a security risk.

[Dwonis]

These MS-signed crypto modules run as the super-user (as every MS component does). These modules could contain any code at all.

I could write a module that, when fncDo_crypt function is called, spawns a (hidden) remote-access server that allows me to control the computer, access files, etc. If MS (or the NSA) signs it, I have access to everyone's computers (and I can flag the most sensitive data - the stuff that was supposed to get encrypted).

Don't trust MS crypto, nor even PGP (it's proprietary, though I guess it's better than MS-CruftAPI), but only OSI-Certified OSS alternatives, such as GnuPG.

'Nuff Said.
--------
"I already have all the latest software."

Whether its true or false...

[drsparkly]

my first reaction was I'm glad I'm not running
any version of Windows as my primary home OS.
No matter what MS say, how will anyone know for sure whether what they say is true or not? The only OS you can truly trust is one that gives you its source code...

Another proof for that

[platypus]

This is an excerpt from a summa ry of the internet auditing project.
Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.
[..]
The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the employee's account! (the phone company identified this was an untraceable overseas caller)

This information could not have been sniffed, since network services are only provided over encrypted SSH sessions.

Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier.
[..]
How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets redhanded, transmitting our SSH identification down under.

Hmmm...

There's another point:

[Cerebus]

The whole issue of whether or not the NSA has a backdoor into CryptoAPI is moot, frankly. What's being missed here is that the system allows *arbitrary replacement* of the backup key, which would allow *any arbitrary CSP* to be installed on for system use *without user intervention or knowledge*.

How long before we see a trojaned CAPI with an installer that replaces the backup key? While there is potential for abuse by law enforcement, there is also *significant* risk of key compromise by third parties as well.

Where would you like your keys to go today?

An Honest Question

[Nessak]

I am not compleatly sure how MS Crypto works, so I am asking this not as flame bait. Is MS saying in this press release that the goverment dose not have keys ("Back doors"), but MS dose? Someone please clairfy this. Thanks

Re:An Honest Question

[Hobbex]

It was never really a question of a backdoor in the first place. The keys in question allow Microsoft to sign the crypto modules used within the the CryptoAPI, and for Windows to reject modules not signed by those keys. If the NSA have a key, they would be able to produce fake crypto routines to replace CryptoAPI standard ones: obviously an advantage, but not enough to be a back door.

The reason they had to make it this complicated, and not just integrate the whole thing, is of course US Regime's anti-crypto campaign.

All this is IIUC.


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

It is

[Dwonis]

pronounced "GRA-mer"
--------
"I already have all the latest software."

They just won't admit it...

[TedC]

...but NSA really stands for "NT Sucks Already".

I guess their explaination could be true, but I would still feel a bit nervous about using Windows after reading this. Fortunately this issue doesn't concern me. :-)

TedC

Re:They just won't admit it...

[E29]

Actually, it really stands for No Such Agency.

Re:Backup key? -- No, really, they are right

[Sux2BU]

This is simply unrealistic. You are arguing that simply having backups makes data insecure, regardless of where the backups are stored. Granted the key is only secure as the weakest link (or backup), but multiple copies are needed in this case. Its evident you've been watching movies a bit too much. Redundancy is needed in the world, no matter how secure/protected you think one site is.

This even isn't worth arguing since this key isn't just a use once signature. Any new cyrpto packages approved by Microsoft has to be signed, meaning that somebody (or some group) has this key and is using it on a semi-regular basis. With Microsoft I doubt this person walks into the basement with retna scanners, multiple ID checks, and armed guards. Instead they login to the corporate NT domain server to access it.

They be truthin' yous

"We do not share them with any third party, including the National Security Agency or any other government agency."

One would be deluding one's self if it were thought that Microsoft doesn't have senior level programmers, product managers, etc., on the payroll of the NSA. Microsoft is too big and too important for that not to be the case. Similar things occur in places like GE and Boeing (for perhaps more obvious reasons), and you can bet that MS is in the same boat.

That said, it is *extremely* doubtful that MS would have allowed this oversight to escape if the key had actually been a 'backdoor'. More likely they are telling the truth in this case.

Re:They be truthin' yous

[Jimhotep]

"We do not share them with any third party,including the National Security Agency or any other government agency."

Is this a Clintonism?
We do not share them
^^^^^

Do they give them away?

Re:They be truthin' yous

[Adam+Knapp]

It's not quite that doubtful, especially if it came out by internal sabotage. A Microsoft employee could do it since they (by all accounts) are very tight lipped even between divisions a person with a conscience (insert joke here) working on their CryptoAPI could have slipped the version with symbols intact into the service pack.

Re:They be truthin' yous

[SpamHeart]

"We do not share them with any third party, including the National Security Agency or any other government agency."

How do you spell subpoena?
Warrant?
Jeeeez.
DonC.

an authoritative opinion

[WiPEOUT]

check out:

http://www.counterpane.com/nsakey.html

seriously though

[t--f-c]

Now here we have a company whose entire history in respect to its security has been a joke. Their idea of secure has been to use a simple hash to hide user's passwords. And then comes out this piece about the back door and people are genuinly surprised, come on!

You don't think M$ has a little hidden entrance for itself on top of that? I know it may seem a bit conspiratorial but you have to take into consideration the mindset of this company, basically absolutely ruthless. They'll do anything they have to in order to get ahead of the game, including in this case selling out their customer's security options just so they can sell overseas..

Now I realize I use M$ products for the time being but their policies I do not agree with at all. As for this hype, ask yourself are you genuinely surpised to find that it exists? This person isn't.

toufic

Re:Believable? Nope.

[QuMa]

So can speed.

Backup key? Yeah, right!

[ptomblin]

Can somebody explain to me why the primary key couldn't be stored in more than one place? Crytographically, having one key stored in two places is no less secure than having two keys, each stored in one place.

Hands up everybody who believes Microsoft's explanation? Nobody? No, I didn't think so.

Re:Backup key? Yeah, right!

[QuoteMstr]

Yes. M$'s explanation is BS.

As if MS reply mattered.

[Godin]

Since noone seems to have really mentioned it, I felt I should point it out.

Everyone seems to be focusing on Microsoft, but anyone who has read a Tom Clancy novel knows that the NSA will tell MS to lie about it until the day the company goes bankrupt.

If the NSA says it is a matter of national security, then MS will deny any thoughts of ever considering an NSA back door, whether it is there or not. You could have 12 memos from MS VP's and 5 from the NSA that discuss standards for the NSA key and encryption algorithms, but MS would deny it till their servers are cracked and brought down, then go on denying the problem.

It isn't really MS's fault. They probably don't have a choice.

Why do you think open source advocates are painted in such a poor light. Someody out there wants open source advocates to look like extremists and conspiracy hunters. If you want people to believe your story, discredit your opponents.

I doubt MS let the NSA have a back door just becase they thought it would be fun. Chances are someone told somebody else to do it. MS is just the pawn here.

BWAHAHAHAHA

[GFD]

This has go to be one of the lamest lies I have seen in a while:

If a natural disaster destroyed the building in which it were kept,

Of course! And just to make sure that there is adequate "natural disaster" protection what better place to keep this valuable asset protected from Redmond sliding into the ocean than Fort Mead Maryland. :D!!!

What a PATHETIC answer!

Then again maybe they have seen the writing on the wall and the whole MicroSmurf campus will be swallowed whole. But everyone can rest easy because NSAKEY will be safe! :D !!!!!!

runtime error '800a000d'

[Leonardo+Brandson]

For all those who somehow haven't yet figured out
that this is M$'s version of

if (competing_product)
spurious_error_message();

Try going into lynx "O"ptions, "User (A)gent" and
typing "Mozilla 4.0 (compatible; MSIE 4.0/Win95)".

Mirabile dictu, it works!

The workaround for Netscape on Linux is left as
an exercise for the reader.

Re:MS does not share the key with anyone?

[rc-flyer]

Sorry, you're wrong.

Without getting into the discussion about the NSA, the NSA can review the program without seeing the key. Look at PGP and GNUPG, the software is available, you can look at the software, but you can't crack my private key.

Re:And why isn't it availible via Gopher?

[J.+Pierpont]

Gopher is always cool.

Does anyone have any good links into gopherspace?

-awc

Ballmer is anti-geek...

[Uart]

He is the REAL Evil force at microsoft.

In an interview, he was asked, "Are you a `gadget guy'??" He responded (with disgusted look) Absolutely not.

When asked "Do you have a computer in your bedroom?" he responded, once again disgustedly, No, i don't.

I think it would be a safe bet to assume that he is evil, as well as stupid, and the REAL person running Microsoft.

Disclaimer

There is a disclaimer at the bottom of the page that says that information is as is without warranties of any kind.
Does this mean that any information on that page doesn't really mean anything at all?

Obviously!!

[simm_s]

Microsoft is obviously going to lie about having a backdoor if it is a back door. There is a problem though why would the NSA need Microsoft to backdoor their product. Windows security is legendary in terms of openness (sarcasm). This does not seem the style of the NSA (well I don't know the style of the NSA), but this is silly. It is so silly I lean towards believeing the NSA has nothing to do with it.

Re:Once and for all - not a back door.

[TummyX]

Which part of "Active-X" and "Java applets" didn't you understand? These execute automatically on web pages and can also be sent in e-mail. There is no installation required.


Not if you disable activex and java applets in IE. Java is sandboxed anyway, and activex uses a trust scheme. If it's unsigned - don't allow it to run.

Re:As If.

[J.+Pierpont]

I find the number of people who think "Bill Gates wrote Windows" alarming.

-awc

Still suspicious: Clintonian parsing

[LinuxParanoid]

Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.

Did anyone else notice the present tense used in this statement? "We do not share"? Not "we did not share" or "we have never shared..."

However, Microsoft holds these keys and does not share them with anyone, including the NSA.

Hmmm, same thing again. I wonder if MS is leaving itself a verbal out in case it is ever caught having once divulged the keys to the NSA. "At the time that statement was made, it was literally true." The old politian's art of deceiving without lying.

Or perhaps I'm just paranoid.
Oh yeah, I am.

--LinuxParanoid

P.S. Further verbal obfuscation could be exploited by not specifying whether one was talking about the public key or the private key. Hmm, MS doesn't make that distinction in its written statement either.
P.P.S. These statements are observations, not a conspiracy theory!

Re:Falsifiability, people.

[jflynn]

"I believe that, even if they are telling the truth, there is nothing that they could say to make you believe them."

This is not a court trial, and this certainly isn't an objective jury. But:

When a witness is caught lying, its not unusual to reject the rest of their testimony on that basis alone. MS has been caught "severely bending the truth" (to be charitable) many, many times.

Did you find their statement that "advanced web programming knowledge" was necessary to read hotmail truthful? How about the statement they "responded quickly?" (The hole was still open at the time of that statement!) Of course their creditability as a witness is shot.

That doesn't mean there aren't third party advocates doing a good job of defending them, for example the BugTraq report, or Bruce Schneier's eloquent comments on sci.crypt, both of which have been quoted in the original story and in this one.

So, no, there isn't anything Microsoft could say that I wouldn't think about and test carefully before believing. I like to think I have some impartiality with respect to other sources. But everyone I read agrees that something is just a little stupid, or strange about this, except Microsoft. The one halfway convincing argument explaining this is the idea that it allows authenticating replacement crypto modules if the first key is compromised. But Microsoft said "destroyed". Why?

Everytime I see one of those certificates asking "Do you trust content from Microsoft Corporation?" I have to laugh. Sorry, I used to defend Microsoft too, but I gave it up years ago.

Rather sloppy for M$

[bu_geek]

Am I the only one who noticed a few grammer errors in the response? I wonder who approved the text. . . MS is not that sloppy with what they put out. Wonder who wrote it?

Re:Rather sloppy for M$

[sqrlbait5]

"...suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry..."

Whaaat? They probably don't even know what they're saying...

Re:Rather sloppy for M$

[dboyles]

"Am I the only one who noticed a few grammer errors in the response? I wonder who approved the text. . . MS is not that sloppy with what they put out. Wonder who wrote it?"

Reread that first sentence and tell me if you see any irony.

-Drew Boyles-
dboyles@resnet.gatech.edu

Re:Rather sloppy for M$

[Anders+H�ckersten]

This is offtopic but... How come people seem to have a trouble spelling grammar? Everyone spells it "grammer" for some reason. Why? It's not like it's pronounced that way or anything (or is it?)

This is a fiasco

[MobyDisk]

The original article made no sense to me. This was an attempt by the overreactive anti-Microsoft community to bring out yet another security flaw. Not that there aren't plenty already. The original article needed much more substantiation before it was brought to the press.

Frankly, I mistrust the freely available download to patch the bug more than I mistrust Microsoft's response. What a great way to fool people into downloading a virus: Call it patch!

Ofcourse it is true: MS does have a back door in Windows, it's called "ActiveX" or "Microsoft Office" :)

Re:This is a fiasco

[Processor+AL]

Hey, at least you can get the source to the patch, well, if you're willing to sign the NDA.

Some questions

[jflynn]

Microsoft states that export controls are not affected. Yet I have heard several say that the NSAkey could be replaced by your own, thereby easily allowing strong crypto modules to be loaded by foreign customers of Windows. Who is wrong here?

Presuming the above to be true, and that it will be fixed in the next release, could this provide another disincentive for upgrade?

Don't you think the NSA might be a little pissed at MS for being dragged into this by a stupid mistake on their part? Not to mention the possible problem with strong encryption control.

Isn't it true that having two valid keys reduces the security of the keys against random guessing by a factor of two? Even if this is not terribly significant shouldn't it be something MS discloses to its customers?

Jim

byte by byte compare.

[JDizzy]

I think its time to see if MS is lying. If the two keys are the exact same then I should get a smile on my face. If they differ then I'm unhappy.

Am I able to create my own signed package for the cryptoAPI?? If not, then I suggest that the RC5 teams around the world stop what they are doing and crack those two keys.

I don't think MS should have the right to decide what crypto is appropriate for the API. What if I wanted to make my own crypt system on NT4? I wouldn't be able too unless them RC5'ers get their act together and crack the two keys.

-Diz

I'd rather have the gov't then Mircosoft

[HomerJ]

From what I read of the response, it just gave Microsoft access, and they didn't give it out to third parties, including the gov't.

If I ran an NT server, I'd sure be happy that all the gooey goodness that is Mircosoft can go in and see if everything is ok, check on security updates, and get all the private information about my company so they can serve us better.

Ok, enough with the sarcasim (^_^), but this was just discovered and has been there since the begining. Makes you wonder all the stuff that's in NT that just hasn't been discovered yet.

Possible Good Thing

[moibus]

I don't much buy the whole NSA thing. Bruce Schneier has made some great comments on sci.crypt regarding this, check them out. In any case, this article:

http://ntbugtraq.ntad vice.com/default.asp?sid=1&pid=47&aid=52

seems to shed some good light on the subject. This find may be a good thing, allowing people to insert domestic crypto CSPs in export copies of windoze. In any case, as bad as M$ is, I'd check this one out thoroughly before passing judgement.

More Lies from Redmond

[The+Future+Sound+of]

Don't believe anything that Gates says.

Of course they've left a backdoor open for the government; it's all part of their negotiations with the DOJ: They've been given the green light to secure a monopoly so long as the government is allowed to access each and every computer that has installed Windows.

It's so painfully obvious that it pisses me off when people try to refute it. The government is *counting* on your passivity!

Re:More Lies from Redmond

[phil+reed]

And your evidence for this is... ?

Feel free to provide it here. Saying "It's obvious" would not stand up in court. You must have some real evidence, otherwise you wouldn't be standing up in public making this sort of accusation. So, let's have the evidence.

Thanks in advance.


...phil

Ahh... that explains everything!

[el_chicano]

Why the backup key labeled NSA key?

This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as the NSA keys, and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.

Sounds like Orwellian double-speak to me. Up is down. In is out. NSA key is not for the NSA. Maybe Bill Gates' minions are taking disinformation lessons from the MIB of the NSA?

Where are Mulder and Sculley when you really need them...

Re:Backup key? -- No, really, they are right

[MobyDisk]

Primary private keys don't get copied. They are P-R-I-V-A-T-E.

Example: The US govt stores private keys for on ONE computer, somewhere obscure, which has laser alarms, guards, etc. They even has computers where if someone touches them, they self erase to protect private keys!

Supposing MS is concerned about their keys, they would store those keys in one place, securely (probably on a Linux machine :)) And no copies exist. Making copies makes it no longer secure.

A better idea is to make a second, entirely different key, that the NSA or some other trustable organization can store.

Re:Believable? Nope.

[ashridah]

microsoft don't have back doors. heh. hehehehe
very funny microsoft. ever heard of buffer overrun security issues.

Re:Believable? Nope.

[Black+Parrot]

My only gripe is why the software I have to have to use Linux has buffer overflows at all. In particular, why doesn't Red Hat examine the code before a new release, rather than signing me up for a "b.o. fix of the week club" for several months after the release.

It's not like buffer overflows are a new thing in the world. Couldn't all the standard components that ship with Linux be audited and fixed once, and stay fixed thereafter?

"That depends on what the word 'is' is."

[StormReaver]

This is typical Microsoft double speak. The article flatly states that Microsoft doesn't put any back doors into their software, but then it says that Microsoft has inserted two decryption keys into all versions of Windows that will allow them access to any Windows computer.

Their explanation is laughable: The second key is a backup in case the first one is destroyed through some kind of natural disaster. They give the impression that they keep the single existing copy of the first key locked up in a vault somewhere when we can be reasonably sure the key exists in multiple forms scattered throughout many locations and computers, and on countless backup devices.

Then they claim that the second key is named NSAKey by an unfortunate coincidence, but that it has nothing to do with our beloved "let's suppress the masses" agency. They go even further to say that the NSA does not have a key (suggesting that MS would not give the NSA a key). All it takes is for the NSA to demand it from MS (assuming you believe they don't already have it) and MS will pee its pants from the effort of complying.

And then we finally arrive at the crux of the entire matter. There shouldn't be ANY built in keys for any reason. Not only does every MS document created with MS-Office clearly identify the author, but now MS (and by extension, any government agency) has a built in back door to nullify any type of security dependant on the cryptographic API. Who knows what other security and privacy breaches are built in. There just doesn't seem to be any safe haven from Uncle Borg and co.

On why two keys...

[MrWHO]

What I can say about it is that, for higher security, you don't usually make copies of the private key, even if possible. I won't enter the details of it, but put simply: how much would you trust a key that you can make copies of?

More to it: in high end security solutions the key is held in hardware, be it a smartcard or a more complex CA card or box. This pieces of hardware are initialized and they keep the key in such a way that is, virtually, impossible to copy out of it.

The bugger being: you loose the card, you loose the key. I even understand the double key, giving them a backup plan in case the first key is lost, and I see nothing wrong with it.

There is a problem in all this, and Microsoft didn't answer that bit, the most important bit of the issue: if it's so easy to change one of the trusted keys, as the original article showed, how can we trust the crypto units "certified" by Microsoft?

An scenario could be the following: Eve wants to see what's going on between Bill and Laura, ships to them bot a piece of software "signed by Microsoft", this piece of software, during the installation, changes the backup key to a key known by Eve, and installs the evil CAPI that makes a copy of all the communication going on between Bill and Laura, encrypts it with the public key of EVE and sends it to her.

Do you see the hole?

A smile,
Fabio

Re:The penguin who cried wolf?.

[Black+Parrot]

> Even if this were a real issue no one would believe it.

I would have said, "Even if MS is telling the truth (for a change), no one would believe it."


> People (mostly the Linux community) have cried wolf way to many times.

Heh. MS cries "wolf" regularly in the form of vaporware announcements, and a few people still seem to believe them.


> At this point everyone just assumes you are lying in order to promote your agenda.

I'm not so sure the story started among Linux advocates, and I know Linux advocates aren't the only ones raising the alarm.

And besides, what kind of agenda are we supposed to expect from Microsoft? They'd give use the same denial whether they were guilty or not. Their disclaimer proves nothing. Being utterly predictable, it was information-free.

If they do happen to be in the right (for a change), it would be no more than poetic justice to have them suffer a customer revolt based on misinformation. What goes around comes around, and all that.

the larger issue

[banky]

From NTBUGTRAQ:
"Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft."
I guess its sorta taken as a standard that someone else has, gee, found yet another weakness in MS. Even if its just an "academic" weakness.

Re:the larger issue

[Burnon]

My guess is that there's some manager in microsoft who "doesn't quite trust this key thing" and thinks that having two keys is a good idea, in case the first one "breaks." ;)

Public review of an algorithm (even if it's only within Microsoft) probably would have cleaned that up. My guess is that the addition of the second key came AFTER the review (if there was a review in the first place).

Re:Not exactly so...

[mbac]

My real point is that no matter the encryption strength in an export program, there will be a backdoor for the U.S. government to walk through.

While only weaker security is allowed by law to be exported, I don't think it's stated anywhere in the U.S. code that the federal government must have its reserved backdoor.

Consider this in military terms: it's like exporting stealth fighter jets that are only 50% as undetectable as the original ones, yet putting a radio switch in them that will enable the U.S. to turn off the engines of the craft at will.

"Just in case our radars didn't pick it up..."

Not only would it be easy for federal agencies to crack into a foreign system running U.S. encryption, it's 100% sure that they will if they try!

As for domestic encryption, it would probably be too inconstitutional of the government to ban strong encryption from the streets. After all, it is regarded as a weapon, and U.S. citizens have the constitutional right to all fashions of exotic weapons...

If they really needed to get into your American 128+ -bit encryption, why bother cracking it, they might just come pay friendly visit, or tap your old analogic phone... (Ok, that's just a little too paranoid, but...)

Re:Backup key? -- No, really, they are right

[QuoteMstr]

It doesn't matter. When one key is equally as effective as annother, for all intents and purposes, it's the same key! It doesn't matter if grabs one key or the other... they are equivalent. Plus, having two keys HALVES the time needed to crack it by brute force.

Re:Yeah right

[thogard]

Its only 2^512 times more difficult if and only if the keys are prime. If the density of prime numbers changes as the number of bits increases then it is quite possable that a 512 bit key may be harder to break than a 1024 bit one.

MS can deploy new keys at any time.

[HopeOS]

Microsoft states that in order to reduce costs and expedite deployment of cryptographic modules, they implemented two keys in the event that their primary was lost. This rational is strictly invalidated by their principle means of distributing system updates, the service-pack dependency.

...Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows 95, 98, and Windows NT. Clearly this would be a massive undertaking. This is why there are two keys. - Microsoft

Deployment of a new key is trivial for Microsoft. They have demonstrated the capability to distribute sweeping changes to their operating system through the use of service-packs. Moreover, they have forced the installation of these service-packs through widespread use of software dependencies. One version of Microsoft Developer Studio, for instance, required not only the installation of SP3 under NT, but IE4 as well. A reasonable administrator accepts that software dependencies exist and expects to upgrade libraries to take advantage of new features; however, it would be absurd to argue that Microsoft is only casually aware of the power it exercises in this matter.

At any point in time, Microsoft can replace or update the CryptoAPI by requiring all newly-signed cryptographic modules to first install the appropriate service-pack. This circumstance is so routine for administrators that it could hardly be considered an exceptional solution.

Whether the NSA holds any of Microsoft's private keys may never be known. Why Microsoft implemented two keys is anyone's speculation. One thing is for certain however, Microsoft's statement that deployment costs alone governed that decision does not stand to reason. Microsoft deploys what it wants, when it wants, and achieves widespread adoption.

John Joganic
The J. Arkadia Corporation

I wonder what they had to say

[lazarusL]

Another example of MS and scalability. :) No wonder Rob doesn't run /. on MS. :) (What follows is what I got from the link.)

Microsoft Security Advisor Program: Microsoft Security Bulletin error 'ASP 0113' Script timed out /security/bulletins/backdoor.asp The maximum amount of time for a script to execute was exceeded. You can change this limit by specifying a new value for the property Server.ScriptTimeOut or by changing the value in the IIS administration tools.

Not exactly so...

[mbac]

I've sent a mail to CmdrTaco, asking for more coverage on the issue. Well, here it is, so I'll post the mail with a couple of thoughts (sorry, it's LONG):

As a /. author indicated before, an old CNN/IDG story (should be found here) confirms beyond any reasonable doubt that the NSA is involved with, and has authority over, any developing software that contains encryption of sort. The article hints that NSA makes arrogant, threatening use of U.S. encryption export laws in order to force companies to open 'reserved' backdoors in their software and/or to loosen their encryption.

Aside from that single key found in Windows, which might or might not be the actual backdoor for the NSA (IMHO, it all looks a bit too naive to
be serious), it's guaranteed that one or more security holes exist in all apps created for the world market, i.e. 99.8% of all software around, from Sun's to AOL's. This is particularly fearsome to people and companies, like me, who are not American.

No software is 100% secure, I know, and the power and means of government agencies are enough to break into anything they really want to. We all know they're implicitly authorized to do anything, legal or not, to pursue their interests.
Yet, this is not a matter of cracking into a drug dealers computer to trace down their bank accounts, it's not government vs. bad guys.

This is something pre-emptive, addressing good and bad guys alike, all over the world.

Software producers in the U.S. are bound to report to the government about each step they take in to security technology, and they're required to always keep a copy of the keys for Uncle Sam to easily walk in.

It's not all about security, though...

Companies are forced to hire demanding professionals to handle the relations with the NSA (this is also stated in the article), to delay
their products because they haven't 'loosened up' enough, to strip away features from their products, and so forth.

It's all in the article, and it's a lot more frightening (to the security-concerned) and irritating (to simple home users like me) than one *hypothetical* backdoor key in Windows.
For once, it's not a matter of Microsoft kissing up to the government, this is the government pushing down on *all* software producers alike to
grant itself access to every kind of encryption capable, secure software available.

This is quite big, and IMHO it deserves some more attention. Please let me know what you think.

Thanks for taking the time to go through this long rant, hope it was worth it!

Re:Not exactly so...

[QuoteMstr]

I wonder what the NSA would be if a company began designing a product solely, from the beginning, for US-onyl distribution with Five megabyte (Yes, byte) keys... Has the NSA done anything for purely domestic software producters?

Re:Not exactly so...

[um...+Lucas]

Well, first they'ed laugh at them for creating such inefficient software... 5 megabyte keys, sure they're a whole lot more secure than 128 bit keys... but 128 bits are more than strong enough according to available public knowledge on encryption...

The NSA harped on Phil Zimmerman because he released his software for free, in source code, on the internet, enabling it to spead across the national boundaries. They don't seem to make a big deal about domestic strength crypto, though...

Re:Not exactly so...

[QuoteMstr]

512-bit RSA was cracked, and you claim 128-bit encryption is secure?

Re:Not exactly so...

[QuoteMstr]

Providing the means to copy the software, or source code of the software, isn't the same as copying it. I could dcc Netscape secure version to a friend in England. Does that make AOL liable?

Re:Not exactly so...

[um...+Lucas]

Surely... 512 Bit RSA is the functional equivilant to 40 or maybe 64 bit crypto using a symmetric cypher. It in no way approaches the strength of a 128 bit symetric cipher, so long as the keys are exchanged securely (using 768, 1024, or greater RSA)

Re:2.0.32???

[NtG]

'If it aint broke, don't fix it' 2.0.32 works fine for me. what the hell is the use of constantly upgrading if your kernel works just fine?

We'll never know without seeing the source code

[Get+Behind+the+Mule]

M$'s explanation may very well be true. I certainly wouldn't put it past M$ and the NSA to buildback doors into cryptography software, but it certainly hasn't been proven that the "NSAKEY" is anything of the kind.

If M$ just claims that there's no back door, then the public has no way of evaluating the truth of the claim. There's only one way to settle the question once and for all, and that is by releasing the source code.

Re:Believable? Nope.

[NtG]

Buffer Overflows are a result of a lack of bounds checking. This is a logic error. Logic errors are the one hardest error to detect in programming. The reason there are so many buffer overflows are because when you program, you dont necessarily take into account that there is one million ways someone could try to create a security hole with your code. You could audit software once, but it's not going to stay secure, because with updates comes more holes. And that's why companies like redhat keep releasing updates. Software gets updated periodically, and with that comes new holes to be found. If distributions were to check all the code pre-release rather than relying on the author(s), they would all be released with considerably dated software. Unfortunately, its a way of life.

Re:UNDENIABLE PROOF:

[NtG]

How humourously hypocritical.

Re:Organizational chaos

[aftersci]

Organizational chaos and a clever, ethically-minded Micros~1 employee.

I've looked at a few Micros~1 products in my day, but I haven't found any without the symbols stripped. Anybody else know what their record is for this kind of oversight?

Text of Microsoft's response

[gleam]

Microsoft Security Bulletin

There is no "Back Door" in Windows
Originally Posted: September 03, 1999

Summary
A report alleges that Microsoft "may have installed a 'back door' for the National Security Agency... making it orders of magnitude easier for the US government to access their computers". This allegation is false.

What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.

Is the allegation true?
No. Microsoft does not leave "back doors" in our products. This is in keeping with our historical stance on this issue. For instance, we have opposed the various key escrow proposals that have been suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry.

Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.

What's CryptoAPI?
CryptoAPI is a Microsoft technology for providing cryptographic services. Vendors can develop stand-alone cryptographic modules called Cryptographic Service Providers (CSPs), which can then be called by any program via the CryptoAPI interface. For more information on CryptoAPI, see http://www.microsoft.com/security/tech/cryptoapi/d efault.asp.

What are the keys in question?
The keys are used to verify the digital signatures on CSPs.

Why do CSPs have to be signed? And why by Microsoft?
CryptoAPI is subject US export laws regarding cryptography. One element of this requires Microsoft to ensure that CryptoAPI will only load CSPs that meet US cryptographic export laws. This is done by digitally signing all CSPs. Before it loads a CSP, CryptoAPI verifies that the CSP has been digitally signed. Part of Microsoft's responsibility as the vendor for CryptoAPI is to sign the CSPs.

When a vendor has a new CSP that they want to release, they submit it for signing and show that all export licensing has been received. Microsoft then digitally signs the CSP, and it can thereafter be used by CryptoAPI.

Why are there two keys?
There is a primary and a backup key.

Why is a backup key needed?
The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows 95, 98 and Windows NT. Clearly, this would be a massive undertaking.

This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.

Why the backup key labeled "NSA key"?
This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.

I heard that there is a third key in Windows 2000. Is this true?
There is a third key present in the beta versions of Windows 2000, but it does not provide a "back door". It is simply a test key that allows the developers to sign test CSPs while Windows 2000 is under development. It will not be present in the production version of Windows 2000.

Does this have any effect on CryptoAPI's compliance with US export law?
No. The CryptoAPI architecture is fully compliant with US export law.

Revisions September 03, 1999: Bulletin Created.




------------------------------------------------ --------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

© 1999 Microsoft Corporation. All rights reserved.

One thing they don't address...

[Jeff+Kandt]

Microsoft says "The CryptoAPI architecture is fully compliant with US export law," but I don't see how that's possible, given what we've learned.

The way Microsoft complies with US export law is that the CryptoAPI won't run any module which isn't signed by Microsoft. This way they can make sure than each vendor's module is "crippled" for export before it can be installed on Windows. If you try to replace Microsoft's key with your own, then CryptoAPI won't run, because it can't validate its own code.

But, perhaps more important than the presence of the "NSA" key itself, Cryptonym showed that it's possible for the user to replace the "NSAKEY" with their own, and still have the rest of CryptoAPI function just fine. This means that the user can install any crypto module they want, without having it signed by Microsoft (aka approved by the government) first.

This would seem to be a major flaw in the mechanism which is supposed to enforce export law. It will be interesting to see if the flaw remains in future versions of Windows, or whether the US government will force them to fix it.

Re:One thing they don't address...

[QuMa]

Not really, because by the law (at least the ones we know of), microsoft isn't forced to restrict people from using their own cryptography.

deactivated...

[will]

now, how could anyone refuse?

incidentally, this has accidentally been through both a mac and a linux box since leaving ms, and is therefore highly offensive to every single person who reads /. Handle with care.

Microsoft Security Bulletin

There is no "Back Door" in Windows

Originally Posted: September 03, 1999

Summary
A report alleges that Microsoft "may have installed a 'back door' for the National Security Agency... making it orders of magnitude easier for the US government to access their computers". This allegation is false.

What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.

Is the allegation true?
No. Microsoft does not leave "back doors" in our products. This is in keeping with our historical stance on this issue. For instance, we have opposed the various key escrow proposals that have been suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry.

Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.

What's CryptoAPI?
CryptoAPI is a Microsoft technology for providing cryptographic services. Vendors can develop stand-alone cryptographic modules called Cryptographic Service Providers (CSPs), which can then be called by any program via the CryptoAPI interface. For more information on CryptoAPI, see http://www.microsof t.com/security/tech/cryptoapi/default.asp .

What are the keys in question?
The keys are used to verify the digital signatures on CSPs.

Why do CSPs have to be signed? And why by Microsoft?
CryptoAPI is subject US export laws regarding cryptography. One element of this requires Microsoft to ensure that CryptoAPI will only load CSPs that meet US cryptographic export laws. This is done by digitally signing all CSPs. Before it loads a CSP, CryptoAPI verifies that the CSP has been digitally signed. Part of Microsoft's responsibility as the vendor for CryptoAPI is to sign the CSPs.

When a vendor has a new CSP that they want to release, they submit it for signing and show that all export licensing has been received. Microsoft then digitally signs the CSP, and it can thereafter be used by CryptoAPI.

Why are there two keys?
There is a primary and a backup key.

Why is a backup key needed?
The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows95, 98 and WindowsNT. Clearly, this would be a massive undertaking.

This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.

Why the backup key labeled "NSA key"?
This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.

I heard that there is a third key in Windows2000. Is this true?
There is a third key present in the beta versions of Windows2000, but it does not provide a "back door". It is simply a test key that allows the developers to sign test CSPs while Windows2000 is under development. It will not be present in the production version of Windows2000.

Does this have any effect on CryptoAPI's compliance with US export law?
No. The CryptoAPI architecture is fully compliant with US export law.

Yeah right

I don't really buy their answer, things get a little shakey here:

The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review.

This paragraph seems very strange in the context of all the others. They go to great lengths to explain to Joe User what it all means in all the other paragraphs with examples, but this paragraph is rather vague.

I think this is the key, (no pun intended!) they are saying that key has to be there to keep them in line with the NSA, but they don't explain what that means specifically.

The could have said that the NSA policy is that their system has to have a backup key, but they didn't say that. They said "compliance" and "technical review" two phrases I'd not like to see in the same paragraph as NSA!

Seem to me like they are brushing over this so they can cover themselves if some future truth comes out.

It seems to be Microsoft's policy to blatently lie about security issues "until a fix is ready for the public interest" - If the NSA do have a spare key for the CryptAPI then there cannot be a fix and so they'll cover the whole thing up. That would be in line with their policy!!

If this turns out to be the case, Microsoft will just cry that the NSA made them do it and even they can't screw with the NSA!!

The other critical point is the one made about the insertion of a new CryptoAPI key of the user's design. They don't even mention this though they happily quote from the article. Looks to me like thats pretty important too.

I hope other news sites will continue to pose this question to Microsoft and see if they can squirm out of this one!

Since 512bit RSA was cracked recently with not too much effort, I am pretty sure the NSA can break any public key crytography in real time. Check out their webpage and see the kinds of people they want (eg maths wizards)

I think that at the moment they love encryption, very few people using it and so they just break their keys and they can pick out the criminals without too much problem.

Once encrytion becomes mainstream (embedded in OS's etc) then this is going to be a major headache for them as they are going to have to crack everything. They know that once encryption is widespread people will start to ramp up the key lengths as CPU power increases. This is their fear and why they don't want crypto outside the US.

Wondering why they let it happen in the US? Because they have a million other ways to spy on you!

Believe big brother is *really* out there.

Re:Yeah right

[um...+Lucas]

Since 512bit RSA was cracked recently with not too much effort, I am pretty sure the NSA can break any public key crytography in real time. Check out their webpage and see the kinds of people they want (eg maths wizards)

Why? 512 bit RSA had been theoretically breakable for quite some time... For over a year now, it has been voiced that everyone abandon 512-bit for either 768 or 1024 (or more...). Just because someone finally got around to showing the world that 512 is breakable, that shouldn't overly alarm you if you're using keys much longer than that. And if they could break public key crypto in real time, there'd be no point to their posturing against it. They'ed let it spread, knowing it was futile.

MS does not share the key with anyone?

[Bobzibub]

This could be strictly true. However, US crypto software has to be reviewed by the NSA before an export licence is granted. This, to me, means the NSA will still have access to the key.

The fun thing is that no matter what the truth is, in the eyes of most they will never be able to climb out of that hole. Especially after the Hotmail fiasco. Such timing. : ))

-Bobzibub

Re:Believable? Nope.

[phil+reed]

That's not a back door, that's programming ineptitude.

Never attribute to malice that which can be explained by stupidity.


...phil

Re:Backup key? -- No, really, they are right

[ptomblin]

Try reading what I actually said. If you have *two* private keys, that's EXACTLY as vulnerable as having two copies of one private key, because compromising either one of those locations gives you the keys to the fortress. Actually, it's more vulnerable because a brute force crack will find one or the other in half the time.

maybe they can't tell us...

[swonkdog]

maybe this sounds a little conspiratorial (that's ok), but, just because microsoft isn't telling (what we precieve to be) the truth does not mean that they are lying either. we all know how microsoft loves to twist things, leave certain pertinate information out and tell things from 'a certain perspective' (a la obi wan kenobi), but, if they are doing things like building backdoors for the nsa, do we really believe that the nsa would let them tell everyone that? of course not. as much as it pains me to say it, we all know that windows (in some flavor or another) is by far the most widely used operating system for personal computers in the world. what does that mean? well, you're average terrorist or drug dealer or whatever is probably not running a linux/bsd/un*x box and probably not running os/2 either. we know that they don't use ms-bob (for those who don't know the security reasons behind this i'll explain below). so, what does that leave behind? i'm 99% sure as are most of you that these upstanding, law-abiding drug-lords/terrorists/etc. are using windows. now, instead of having our computer spys spend hundreds of hours cracking a system, why not have a backdoor? would the nsa want this to get out? of course not. microsoft is then payed off/bullied/given lieniency in court/whatever to keep this secret and deny it. don't other companies and indeed intelligence agencies the world over deny that they are doing something only to admit and declassify 20years later? ex. area51/stealth bomber/rosenberg trial.

i'm not out to take microsoft's side in this (not by any streach of the imagination) by making them look like the good guys, but, the fact that they have the so-called 'keys' is (to me) evidence inofitself that ms is working with the nsa. why else would they have them? i don't believe that linus torvalds or patrick volkerding have keys to my slack systems. i simply believe that they aren't telling us because they can't.

a few words on the security of ms-bob:
for those of you who aren't aware, microsoft bob was the by far the most non-optimal solution for a 'friendly operating system' that the world has ever seen. it was released approximately 7 years ago. it's whole interface cause scores of curious (as to what crap was being pushed) hacker to madness and reduced strong men to tears (of laughter). it was sold under the adline of 'everyone needs a nice computer'. anyhow, bob had 'password' capability. however, if the wrong password was entered three times, instead of locking the system, bob assumed that the user had forgotten their password and asked if they would like to erase the current one or set a new one. ah, the benefits of a secure ms-system! its kind of scary to think this came from the sick corporation that has the vision of 'windows ce' one day controlling the breaks in our cars.

cry f0ul

[joq]

No one should be surprised about this backdoor left open to the NSA. Has everyone forgotten that the NSA snoops all things transmitted in the entire world?

Or has everyone actually forgotten the other agencies in cahoots with the NSA to provide unsecure data transmissions in every shape form or fashion worldwide?

Everyone can cry foul all they want but the sad reality is there is nothing anyone can do no matter how

hippiesh you think your going to get about the matter.

Hippiesh == reversion back into the 60's type radical fighting for a /dev/null cause

The NSA should not be taken lightly in the Linux community to those who aren't familiar to programming and coding, since anyone can backdoor scripts and bineries to have information mirrored to another destination.

Its a sad crying shame but its part of the worldy balance of good and evil no matter how cheezy it may sound.

What if there were no NSA, or FBI? How chaotic would things be, no matter how you think of it. Things
would be in a sad state worldwide. I in no way agree with the methods, and I highly doubt someone at the NSA would randomly pick someone to "monitor."

So unless you're doing something highly illegal why even bother pissing a bitch and flying off the rocker? While it is unethical it's the NSA... They're bound to snoop things one way or the other so the best way to handle the situation is to go on with life...

Re:cry f0ul

[QuoteMstr]

I suppose we should all be legally obligated to install video cameras about our houses that we can't remove, disable, or reverse-engineer under penalty of death, inform the NSA of all our movments, etc? If you let one freedom slip, the rest do too.

Once and for all - not a back door.

[.pentai.]

Ok, people, get this through your heads.

This is NOT A BACKDOOR.
It's a way of signing/verifying documents.
Don't you people remember having signatures on older .zip files, to guarentee it was from the author of a program? (ala PK Ware).

Does that mean pkzip 4.08g is a backdoor? no.

Re:Once and for all - not a back door.

[QuoteMstr]

No, you fool. This allows anyone (or, prior to the discover of this Hole, the NSA, to replace your security and encryption module with a dummy one that could do anything... even transmitting your password and keys back to the NSA in a transparent form of Key Escrow. It's hole. Oh, and bwt, if pkunzip allowed anyone to unzip any password-protected zip file by using "bob" as the password, THAT would be a hole.

Re:Once and for all - not a back door.

[QuoteMstr]

Oops, forgot a "\" there.

Re:Once and for all - not a back door.

[QuoteMstr]

err, "/"

Re:Once and for all - not a back door.

Has anyone noticed that there's a bill bending in Congress to allow law enforcement agencies to do exactly this?

The proposed law would allow LEAs (with a proper warrant) to break onto the suspect's premises and somehow install software to surrepticiously disable passwords, encryption, etc., providing LE with full, ongoing access to all data and communications.

When I first read about this proposal, it didn't make much sense; wouldn't LE need to break any existing security first, before installing their "backdoored" version?

Now it all makes sense. At least in the case of Windoze, the backdoor is already there, specifically a mechanism that allows anyone to "sigh in" a modified version of whatever security module is desired.

Each event, viewed separately, is disturbing. Together, they're horrifying.

Umm.... it might as well be an NSA key....

[plunge]

Has Microsoft ever heard of a thing called a "warrant?" There's simply no reason why any legal enforcement agency couldn't get access to M$'s key anytime they came up with probable cause and a good enough reason.

Who is right?

[wilkinsm]

From the bulletin:

"The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.

From the news article posted above:

"But in an odd-couple sort of joint-partner arrangement, Microsoft and the NSA did work together to build what's called Server Gated Cryptography. Primarily intended to help banks use Web servers to do business internationally, the technology lets a server with a special digital certificate provide 128-bit encryption support to a Web browser outside the U.S."

Need I say more?

Read it here:

[wampus]

http://www.geocitie s.com/ResearchTriangle/Forum/2553/backdoor.htm or http://slashdot.org/comme nts.pl?sid=99/09/05/1030228&cid=55

Re:2.0.32???

[dattaway]

Jeez, get a life. Get at least 2.0.38 please.

No, I got the same page, yet the IIS scripts claim I have 2.0.32, not one of the 2.2 kernels. Why they don't just write a page and post it with a simple link is befond me. They must have a network of scripts to spin every document that comes out of that place.

Its like they are trying to automate thier PR department by scripting. I'm waiting for someone to come up with a Microsoft PR generator page so anyone can create hype with a spin on the fly.

Re:Believable? Nope.

[scrytch]

> very funny microsoft. ever heard of buffer overrun security issues.

Yeah we all know how immune linux is to those.

hello, my name is ted

[miahrogers]

damn it, i knew we should have stuck to typewriters, no way the NSA could track me for using one of those...


"...disaster destroyed the building in which it were kept, all of the previously-signed CSPs would
continue to function normally, because the key used for verification exists in every copy of Windows..."


could be arranged....

-- - ted

char *stupidsig = "this is my dumb sig";

Re:The penguin who cried wolf?.

[flatrbbt]

and I assume it is grossly unfair to make the assumption that MS has a private agenda to protect?

If the key is a backdoor to every Windows machine.

[android]

Then it doesn't matter whether Microsoft gave it to the NSA, since they probably already have it.

make it up as they go along...

[flatrbbt]

First they say "nsakey is just a note to ourselves that the nsa has inspected and approved this version..."

Well this is fine except for the fact that it is a key... people do not make notes on keys. Keys have one and only one purpose, to open locks...

Now they say it is a backup key.
So caught in their first lie, they make up another...

Lets look at this one.

A backup key, different from the first because the original key may be lost in a "natural disaster".

They cant keep the same key in two locations?
2 keys in the same location are more secure than 1 key at two locations? Doesnt the existance of 2 keys reduce the effectiveness of crypto by a factor of 2? So even if they have not releaased the key... It is now MUCH more succeptable to attack.

The only way to accomplish this "backup" is to have a second key that allows replacement of my crypto? without my knowledge?
yeah. right.

Export controls are not affected? How so. I can replace the crypto module, in violation of the laws of MANY countries.

Why has only the "backup" key has its name stripped for all these years?

They are called NSAKEYS becaause of the internal MS refeerence to them? Then why arent they called NSAKEY and NSABAK?

This is very similar to the magic database they were building "without transmitting data to Microsoft Corp". Must be nice to run an o/s thats smart enough to build and manage a database on its own.

They lied about it until they couldnt any longer, then simply stated it was an "oversight".

Once again, we have to determine their truthfulness by checking to see if their lips are moving.

Would you trust MS if there was only 1 key?

[Wiktor+Kochanowski]

Honestly, why does it matter if there are 1 or 2 keys? OK, so MS created another key and gave it to the NSA, then lied about it. How is this situation different than if they created only one key and simply shared it with NSA? And, of course, lied about it?

We don't have the source, so the question boils down to whether we can trust the provider, not how many keys they might make.

Re:Would you trust MS if there was only 1 key?

[QuoteMstr]

Because this is proof - or as close we'll get to it without a suppeona:)

Re:Would you trust MS if there was only 1 key?

[QuoteMstr]

Err, subpoena

How lame...

1) Why not keeping the same key on 2 different locations, instead of having 2 keys on 2 different locations? M$ explanations stinks...

2) Ok, even if you REALLY WANT to have 2 keys instead of one - why you don't say that to your customers? You liars...

3) Since M$ didn't DENY that it is possible to compromise whole crypto subsystem by replacing the 2nd key - I understand that it IS possible to compromise the security of Win* machine(s). Won't M$ try to give us more information? Something sweet, what they usually try to sell us...

4) I'm really tired of that 'NSA conspiracy' - but in the way that people say "NSA can get it anyway...". Hey, NSA *does have* some good people, but there are good people all over this planet. They are just HUMANS, as we all are (well, they might be bit more brainwashed, but the core is still the same). They are not Supermans, they will grab anything they can - so I wouldn't be surprised if they had a small role in all this. If you are the best hacker on this planet, would you ever consider using brute-force in order to get into the system? Bet you would... The same way, NSA would use anything they can. Why have 1 thing, when you can have 2 (or more)?

5) What is next?

Thank you Microsoft! 1 year ago, I had a VERY HARD TIME trying to convince my boss that we should dump all Windows machines out of the company. Today, the boss wants to dump Windows by himself - my help is not needed anymore. I got what I wanted.

Looking at the big picture, we all get more & more paranoid every day, just because of idiots in various '3 letters agencies' that think they are 'above us'. Well, as long as they bleed, sleep and go to the toilet - they are just as ordinary as all the others.

Must be that they've been REALLY heavily brainwashed...

The key word is `share'

[Minix]

Microsoft does not `share' keys with government agencies. Perhaps it `escrows' them with government agencies, though. Perhaps it's even a requirement of them getting NSA approval for the crypto system. Who could argue that escrowing a key with NSA wasn't secure offsite storage?

The nice man at the NSA said he wouldn't read it.

Compromised key?

[TeddyR]

Not to defend MS here; but being "devils advocate":


What I am seeing between the lines here is that what if the REAL reason is that they want a second key so that if the FIRST key is compromised in any way (natural disaster or otherwise), they can use the second key to "revoke" the validity of the first key, and use the second key to install either a new key uncompromised key.. (without distruption to the millions of windows users). In this scenario the second key MUST be different from the first key, and stored elsewhere securly, and ONLY used in the case of the first key being compromised/destroyed...

recent versions of PGP and other cryptographic software also have that ability...

[one wonders if they already did that {replaced the first key}... through several of the MS "required" updates, without the user knowing]

https://www.mav.net/teddyr/syousif/

Re:Compromised key?

[QuoteMstr]

Still, the 1st key would be as valid as the 2nd. If the 1st was used to dynamically install compoents that no longer recognized the 1st key, it woudln't matter until those components were opirational.

BS Alarm Going Off?

[Lally+Singh]

The little bullshit detector in my mind
is ringing like crazy today. Damn they're
shoveling it pretty deep today. The NSA
reviews their system but doesn't have a copy
of the key they review? Pardon me if I've
misunderstood, but how wouldn't they have the
key, exactly? The NSA is known (or at least
well rumoured ;-)) for making large crypto
suppliers put backdoors in the system for them.
MS Admits to having the NSA check over their code
suuuuuuure there isn't a backdoor for them...

And my ass isn't hairy....

-- Lally "Hairy Ass" Singh

--
Insanity Takes Its Toll. Please Have Exact Change

Microsoft Says...

[elsanto]

Microsoft Says Speculation About Security and NSA Is "Inaccurate and Unfounded" http://www.microsoft.com/presspass/press/1999/sept 99/rsapr.htm

Re:Believable? Nope.

[QuMa]

linux hasn't had any buffer overflows in ages...
If you want to talk about daemons, yes, but not linux.

uhm, cant be quit the blind flame-MS kiddiness?

[ntd81]

I'm a bit disappointed to be honest. MS respond to the hotmail attack by saying it wasnt a major problem and y'all (probably rightly) have a go at MS for giving evasive PR crap.

Now they give a fairly detailed explanation that - to me (although I admit to not knowing crypto stuff) - seems to make some sense and be quite believable.

Instantly /. is awash with "LIES FROM MS" posts.

OK, some of the posts I read gave decent, thought out critiques to suggest the statement was fishy. But a whole lot more of them smack of the sadly very-common attitude of some /. people who see the word MS and hit the flame key without taking the time to consider the case on its own merits.

One MS key is more than enough

[drstatgeek]

Wouldn't the first key be more than enough of a hole? Scenario. Be VERY generous, and give M$ the benefit of the doubt (regular programming will resume in a moment ...) that the text of their response is true. This means that M$ has control of what crypto algorithms you can install into Windoze using their API, theoretically those which "comply with the export laws." Doesn't that possibly mean they will only approve those which have a backdoor? Of course, you could (as I would probably do anyway, if I ever had the desire to program a Windoze machine) skip the API entirely.

barking up the wrong tree

[babbage]

why should anyone be worried about *back* doors when the *front* door is wide open? i can't see why a compromise in the security of the backend would be such a big deal when the security of the front end is for all purposes nonexistent.

maybe that's just me though

Hardware keys are different

[coyote-san]

*IF* Microsoft has half a clue, they're using a *hardware* encryption key to sign their most critical information. These are devices that require physical keys to operate, and they are designed so that they won't reveal their private keys. (Some allow "cloning" another hardware device, others do not.) In practice, these are items that are kept in your deepest vault and used to sign the software keys that you use for routine signing.

Assuming MS uses one of the latter, having a "hot spare" might make sense...

... except, as the BUGTRAQ article notes, Microsoft's explanation still makes absolutely no sense. There's no apparent key hierarchy (isn't the crypto key signed by a master MS key?), there's no apparent rollover mechanism, and there's the insane assumption that there can only be one major physical disaster befall Microsoft. That's crazy; during the World Trade Center bombing at least one company had lost both primary and backup sites!

Ironically, I find this makes MS's story seem *more* likely. The corporate culture is notorious for its "performance is not my problem; computers will be faster next month" mentality, and this ill-informed, brute force way of dealing with the subtle issues of key management matchs that culture!

seems to me they admit it

[jetson123]

Microsoft seems to admit that there is a backup key and furthermore that a backup key needs to exist to "ensure compliance with the NSA's technical review". It seems to me pretty academic to argue whether they have already shared that "backup key" with anyone.

But I'd ask the more general question: why does this surprise anyone? NT is not an open source product. It would be easy for any developer on the project to slip in a backdoor. Based on experience with other large software systems, I'd expect there to be dozens of backdoors in NT system and applications software. I wouldn't trust NT security further than I can throw a year's worth of MSDN CD's and documentation.