Slashdot Mirror
MS response to NSA key backdoor in Windows
CitizenC writes "Microsoft has responded to the report of the allegations of leaving a backdoor in all of its products for the NSA. "
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Either their explaination is a lie or they're dumber than I thought. Think about it...
If you're worried that you might loose your car keys, do you install a special lock and have two different keys, or do you just have a duplicate key made?
Considering that it's easy to just hexedit a new key in, that makes little sense. Besides that, you couldn't effectively revoke the old key since a great deal of crypto modules would depend on it, and the users would likely just ignore the 'upgrade'
If each backup of the key is in eight pieces and in eight different places, there is a backup but stealing the backup is much more difficult. Proper procedures would involve a variety of protections, such as banks with no corporate relationships, vaults of different types, and differing attack types required. For example, a key piece inside a clear jar embedded in plastic hanging from the ceiling of the lobby of Microsoft headquarters would require a different theft method than the key pieces in safety deposit boxes, or the key piece tattooed on a director.
A key can be backed up in ways which make it difficult to reassemble, but the key can still be secure while it is backed up. Particularly if the backups were also encrypted so a piece is even less useful...and the key for the backups does not need as much security as the backups themselves so one does not have to repeat this process ad infinitum.
The following is a cut-n-paste of MS's response
---
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279
---
I don't know how anyone could argue with THAT.
You need a backup (and I believe that the NSA requires it by law) so that if the first key ("key #1") needs to be revoked, you use the backup key to verify the new "key #1" that you receive.
Frankly, I'm seeing a lot of paranoid posts in this thread without a lot of thinking being done. If Microsoft wanted the NSA to have a backdoor, they could just give them a copy of their own private key -- they wouldn't need to write a special new one.
To put a compromised key on someone's system, you need to get administrator/root access. If someone gets administrator/root access on your box, they could do anything they damn well wanted to anyway, so what's the big deal?
Cheers,
ZicoKnows@hotmail.com
a) They claim there is a second key so it can be stored at a different physical location for disaster recovery. Why not just make a copy of key #1 for that?
b) If the 'NSAKEY' was really harmless, why did they in previous version remove the symbol for it (but not for the other key)?
The "we had to create a backup" approach works with a physical, tangible object, but with something as easily copies as a set of bytes, there is no excuse to create a second key. The first key could have been copied as many times as the first and second keys combined.
P.S. It's draconian for the NSA to limit what you could insert into an existing cryptogroaphy framework... even if that module is developed outside of the US! Pathetic.
P.S.S. I would have named such a key "Checkkey", "BackupKey", or something similar. NSAKey is simply too suggestive to even risk putting into a piece of code.
Hey Microsoft, there's one way you can prevent any further accusations, show us the source! If you have nothing to hide then fork up the source to your accusers and say "check it pal, no back door" or are you afraid of what they might find?
How we know is more important than what we know.
If MS used only one key, it would be impossible to change it when it was compromised, but with two, you could use one to change the other.
But as the press release pointed out, it is possable for anyone to change the key now. They gained nothing from two keys, but they enabled the installation of any unapproved crypto. All the installer needs to do is quietly patch over the second key. If there were only one key, it would be much harder.
Of course there is the maxim: "Never attribute to malice what can be explained by stupidity". In the case of MS and US govt. I can certainly buy the stupidity arguement.
Something just occured to me. Regardless of whether MS uses hardware or software encryption, it's possible to use the threshold problem to break a secret into multiple N pieces where any M are sufficient to reconstruct the key, but M-1 are not. (Not all hardware signers have this ability, but IIRC some do and it's a prudent precaution.)
That means that MS could take their primary key, apply a (7,4) algorithm on it, then put the pieces in a safe deposit box in Seattle, New York, LA, Boston, Atlanta, Denver, and Calgary. Any four pieces are enough to reconstruct their private key.
If four of those keys are unavailable at the same time, then Microsoft losing its private key will be among the least of our problems. No pair of cities, except Boston & NY, are within 1000 miles of the others so only an "extinction level event" would take them all out at the same time.
Conclusion: MS is blowing smoke. Either they're totally incompetent, they're lying, or they have a profound breakdown in internal communications. (The same options apply to the "advanced web programming" (HTML forms) comment regarding the hotmail fiasco.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an excerpt from a summa ry of the internet auditing project.
Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.
[..]
The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the employee's account! (the phone company identified this was an untraceable overseas caller)
This information could not have been sniffed, since network services are only provided over encrypted SSH sessions.
Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier.
[..]
How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets redhanded, transmitting our SSH identification down under.
Hmmm...
I guess their explaination could be true, but I would still feel a bit nervous about using Windows after reading this. Fortunately this issue doesn't concern me. :-)
TedC
Can somebody explain to me why the primary key couldn't be stored in more than one place? Crytographically, having one key stored in two places is no less secure than having two keys, each stored in one place.
Hands up everybody who believes Microsoft's explanation? Nobody? No, I didn't think so.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Of course, there IS no way to determine if they're telling the truth or not... :)
Well sure there is, if we could reverse engineer it back to source code, put out own key in it, recompile, then try to break in using that key. Only problem is the legallity of such an action, not the mention the difficulty in successfully recompling it. It would still be arguable either way afterwards.
The original article made no sense to me. This was an attempt by the overreactive anti-Microsoft community to bring out yet another security flaw. Not that there aren't plenty already. The original article needed much more substantiation before it was brought to the press.
:)
Frankly, I mistrust the freely available download to patch the bug more than I mistrust Microsoft's response. What a great way to fool people into downloading a virus: Call it patch!
Ofcourse it is true: MS does have a back door in Windows, it's called "ActiveX" or "Microsoft Office"
Don't believe anything that Gates says.
Of course they've left a backdoor open for the government; it's all part of their negotiations with the DOJ: They've been given the green light to secure a monopoly so long as the government is allowed to access each and every computer that has installed Windows.
It's so painfully obvious that it pisses me off when people try to refute it. The government is *counting* on your passivity!
My only gripe is why the software I have to have to use Linux has buffer overflows at all. In particular, why doesn't Red Hat examine the code before a new release, rather than signing me up for a "b.o. fix of the week club" for several months after the release.
It's not like buffer overflows are a new thing in the world. Couldn't all the standard components that ship with Linux be audited and fixed once, and stay fixed thereafter?
Sheesh, evil *and* a jerk. -- Jade
What I can say about it is that, for higher security, you don't usually make copies of the private key, even if possible. I won't enter the details of it, but put simply: how much would you trust a key that you can make copies of?
More to it: in high end security solutions the key is held in hardware, be it a smartcard or a more complex CA card or box. This pieces of hardware are initialized and they keep the key in such a way that is, virtually, impossible to copy out of it.
The bugger being: you loose the card, you loose the key. I even understand the double key, giving them a backup plan in case the first key is lost, and I see nothing wrong with it.
There is a problem in all this, and Microsoft didn't answer that bit, the most important bit of the issue: if it's so easy to change one of the trusted keys, as the original article showed, how can we trust the crypto units "certified" by Microsoft?
An scenario could be the following: Eve wants to see what's going on between Bill and Laura, ships to them bot a piece of software "signed by Microsoft", this piece of software, during the installation, changes the backup key to a key known by Eve, and installs the evil CAPI that makes a copy of all the communication going on between Bill and Laura, encrypts it with the public key of EVE and sends it to her.
Do you see the hole?
A smile,
Fabio
It is me, none else but me. And who would you be?
> Even if this were a real issue no one would believe it.
I would have said, "Even if MS is telling the truth (for a change), no one would believe it."
> People (mostly the Linux community) have cried wolf way to many times.
Heh. MS cries "wolf" regularly in the form of vaporware announcements, and a few people still seem to believe them.
> At this point everyone just assumes you are lying in order to promote your agenda.
I'm not so sure the story started among Linux advocates, and I know Linux advocates aren't the only ones raising the alarm.
And besides, what kind of agenda are we supposed to expect from Microsoft? They'd give use the same denial whether they were guilty or not. Their disclaimer proves nothing. Being utterly predictable, it was information-free.
If they do happen to be in the right (for a change), it would be no more than poetic justice to have them suffer a customer revolt based on misinformation. What goes around comes around, and all that.
Sheesh, evil *and* a jerk. -- Jade
Buffer Overflows are a result of a lack of bounds checking. This is a logic error. Logic errors are the one hardest error to detect in programming. The reason there are so many buffer overflows are because when you program, you dont necessarily take into account that there is one million ways someone could try to create a security hole with your code. You could audit software once, but it's not going to stay secure, because with updates comes more holes. And that's why companies like redhat keep releasing updates. Software gets updated periodically, and with that comes new holes to be found. If distributions were to check all the code pre-release rather than relying on the author(s), they would all be released with considerably dated software. Unfortunately, its a way of life.
Microsoft Security Bulletin
d efault.asp.
- --------------------------------
There is no "Back Door" in Windows
Originally Posted: September 03, 1999
Summary
A report alleges that Microsoft "may have installed a 'back door' for the National Security Agency... making it orders of magnitude easier for the US government to access their computers". This allegation is false.
What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.
Is the allegation true?
No. Microsoft does not leave "back doors" in our products. This is in keeping with our historical stance on this issue. For instance, we have opposed the various key escrow proposals that have been suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry.
Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.
What's CryptoAPI?
CryptoAPI is a Microsoft technology for providing cryptographic services. Vendors can develop stand-alone cryptographic modules called Cryptographic Service Providers (CSPs), which can then be called by any program via the CryptoAPI interface. For more information on CryptoAPI, see http://www.microsoft.com/security/tech/cryptoapi/
What are the keys in question?
The keys are used to verify the digital signatures on CSPs.
Why do CSPs have to be signed? And why by Microsoft?
CryptoAPI is subject US export laws regarding cryptography. One element of this requires Microsoft to ensure that CryptoAPI will only load CSPs that meet US cryptographic export laws. This is done by digitally signing all CSPs. Before it loads a CSP, CryptoAPI verifies that the CSP has been digitally signed. Part of Microsoft's responsibility as the vendor for CryptoAPI is to sign the CSPs.
When a vendor has a new CSP that they want to release, they submit it for signing and show that all export licensing has been received. Microsoft then digitally signs the CSP, and it can thereafter be used by CryptoAPI.
Why are there two keys?
There is a primary and a backup key.
Why is a backup key needed?
The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows 95, 98 and Windows NT. Clearly, this would be a massive undertaking.
This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.
Why the backup key labeled "NSA key"?
This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.
I heard that there is a third key in Windows 2000. Is this true?
There is a third key present in the beta versions of Windows 2000, but it does not provide a "back door". It is simply a test key that allows the developers to sign test CSPs while Windows 2000 is under development. It will not be present in the production version of Windows 2000.
Does this have any effect on CryptoAPI's compliance with US export law?
No. The CryptoAPI architecture is fully compliant with US export law.
Revisions September 03, 1999: Bulletin Created.
-----------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
© 1999 Microsoft Corporation. All rights reserved.
this
now, how could anyone refuse?
incidentally, this has accidentally been through both a mac and a linux box since leaving ms, and is therefore highly offensive to every single person who reads /. Handle with care.
Microsoft Security BulletinThere is no "Back Door" in Windows
Originally Posted: September 03, 1999
Summary
A report alleges that Microsoft "may have installed a 'back door' for the National Security Agency... making it orders of magnitude easier for the US government to access their computers". This allegation is false.
What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.
Is the allegation true?
No. Microsoft does not leave "back doors" in our products. This is in keeping with our historical stance on this issue. For instance, we have opposed the various key escrow proposals that have been suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry.
Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.
What's CryptoAPI?
CryptoAPI is a Microsoft technology for providing cryptographic services. Vendors can develop stand-alone cryptographic modules called Cryptographic Service Providers (CSPs), which can then be called by any program via the CryptoAPI interface. For more information on CryptoAPI, see http://www.microsof t.com/security/tech/cryptoapi/default.asp .
What are the keys in question?
The keys are used to verify the digital signatures on CSPs.
Why do CSPs have to be signed? And why by Microsoft?
CryptoAPI is subject US export laws regarding cryptography. One element of this requires Microsoft to ensure that CryptoAPI will only load CSPs that meet US cryptographic export laws. This is done by digitally signing all CSPs. Before it loads a CSP, CryptoAPI verifies that the CSP has been digitally signed. Part of Microsoft's responsibility as the vendor for CryptoAPI is to sign the CSPs.
When a vendor has a new CSP that they want to release, they submit it for signing and show that all export licensing has been received. Microsoft then digitally signs the CSP, and it can thereafter be used by CryptoAPI.
Why are there two keys?
There is a primary and a backup key.
Why is a backup key needed?
The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows95, 98 and WindowsNT. Clearly, this would be a massive undertaking.
This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.
Why the backup key labeled "NSA key"?
This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.
I heard that there is a third key in Windows2000. Is this true?
There is a third key present in the beta versions of Windows2000, but it does not provide a "back door". It is simply a test key that allows the developers to sign test CSPs while Windows2000 is under development. It will not be present in the production version of Windows2000.
Does this have any effect on CryptoAPI's compliance with US export law?
No. The CryptoAPI architecture is fully compliant with US export law.
Jeez, get a life. Get at least 2.0.38 please.
No, I got the same page, yet the IIS scripts claim I have 2.0.32, not one of the 2.2 kernels. Why they don't just write a page and post it with a simple link is befond me. They must have a network of scripts to spin every document that comes out of that place.
Its like they are trying to automate thier PR department by scripting. I'm waiting for someone to come up with a Microsoft PR generator page so anyone can create hype with a spin on the fly.
> very funny microsoft. ever heard of buffer overrun security issues.
Yeah we all know how immune linux is to those.
I've finally had it: until slashdot gets article moderation, I am not coming back.
No, you fool. This allows anyone (or, prior to the discover of this Hole, the NSA, to replace your security and encryption module with a dummy one that could do anything... even transmitting your password and keys back to the NSA in a transparent form of Key Escrow. It's hole. Oh, and bwt, if pkunzip allowed anyone to unzip any password-protected zip file by using "bob" as the password, THAT would be a hole.
The proposed law would allow LEAs (with a proper warrant) to break onto the suspect's premises and somehow install software to surrepticiously disable passwords, encryption, etc., providing LE with full, ongoing access to all data and communications.
When I first read about this proposal, it didn't make much sense; wouldn't LE need to break any existing security first, before installing their "backdoored" version?
Now it all makes sense. At least in the case of Windoze, the backdoor is already there, specifically a mechanism that allows anyone to "sigh in" a modified version of whatever security module is desired.
Each event, viewed separately, is disturbing. Together, they're horrifying.
I'm a bit disappointed to be honest. MS respond to the hotmail attack by saying it wasnt a major problem and y'all (probably rightly) have a go at MS for giving evasive PR crap.
/. is awash with "LIES FROM MS" posts.
/. people who see the word MS and hit the flame key without taking the time to consider the case on its own merits.
Now they give a fairly detailed explanation that - to me (although I admit to not knowing crypto stuff) - seems to make some sense and be quite believable.
Instantly
OK, some of the posts I read gave decent, thought out critiques to suggest the statement was fishy. But a whole lot more of them smack of the sadly very-common attitude of some
*IF* Microsoft has half a clue, they're using a *hardware* encryption key to sign their most critical information. These are devices that require physical keys to operate, and they are designed so that they won't reveal their private keys. (Some allow "cloning" another hardware device, others do not.) In practice, these are items that are kept in your deepest vault and used to sign the software keys that you use for routine signing.
Assuming MS uses one of the latter, having a "hot spare" might make sense...
... except, as the BUGTRAQ article notes, Microsoft's explanation still makes absolutely no sense. There's no apparent key hierarchy (isn't the crypto key signed by a master MS key?), there's no apparent rollover mechanism, and there's the insane assumption that there can only be one major physical disaster befall Microsoft. That's crazy; during the World Trade Center bombing at least one company had lost both primary and backup sites!
Ironically, I find this makes MS's story seem *more* likely. The corporate culture is notorious for its "performance is not my problem; computers will be faster next month" mentality, and this ill-informed, brute force way of dealing with the subtle issues of key management matchs that culture!
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
But I'd ask the more general question: why does this surprise anyone? NT is not an open source product. It would be easy for any developer on the project to slip in a backdoor. Based on experience with other large software systems, I'd expect there to be dozens of backdoors in NT system and applications software. I wouldn't trust NT security further than I can throw a year's worth of MSDN CD's and documentation.