Slashdot Mirror
MS response to NSA key backdoor in Windows
CitizenC writes "Microsoft has responded to the report of the allegations of leaving a backdoor in all of its products for the NSA. "
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
The following is a cut-n-paste of MS's response
---
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'CInt'
/security/inc/scripts.txt, line 279
---
I don't know how anyone could argue with THAT.
You need a backup (and I believe that the NSA requires it by law) so that if the first key ("key #1") needs to be revoked, you use the backup key to verify the new "key #1" that you receive.
Frankly, I'm seeing a lot of paranoid posts in this thread without a lot of thinking being done. If Microsoft wanted the NSA to have a backdoor, they could just give them a copy of their own private key -- they wouldn't need to write a special new one.
To put a compromised key on someone's system, you need to get administrator/root access. If someone gets administrator/root access on your box, they could do anything they damn well wanted to anyway, so what's the big deal?
Cheers,
ZicoKnows@hotmail.com
a) They claim there is a second key so it can be stored at a different physical location for disaster recovery. Why not just make a copy of key #1 for that?
b) If the 'NSAKEY' was really harmless, why did they in previous version remove the symbol for it (but not for the other key)?
The "we had to create a backup" approach works with a physical, tangible object, but with something as easily copies as a set of bytes, there is no excuse to create a second key. The first key could have been copied as many times as the first and second keys combined.
P.S. It's draconian for the NSA to limit what you could insert into an existing cryptogroaphy framework... even if that module is developed outside of the US! Pathetic.
P.S.S. I would have named such a key "Checkkey", "BackupKey", or something similar. NSAKey is simply too suggestive to even risk putting into a piece of code.
Something just occured to me. Regardless of whether MS uses hardware or software encryption, it's possible to use the threshold problem to break a secret into multiple N pieces where any M are sufficient to reconstruct the key, but M-1 are not. (Not all hardware signers have this ability, but IIRC some do and it's a prudent precaution.)
That means that MS could take their primary key, apply a (7,4) algorithm on it, then put the pieces in a safe deposit box in Seattle, New York, LA, Boston, Atlanta, Denver, and Calgary. Any four pieces are enough to reconstruct their private key.
If four of those keys are unavailable at the same time, then Microsoft losing its private key will be among the least of our problems. No pair of cities, except Boston & NY, are within 1000 miles of the others so only an "extinction level event" would take them all out at the same time.
Conclusion: MS is blowing smoke. Either they're totally incompetent, they're lying, or they have a profound breakdown in internal communications. (The same options apply to the "advanced web programming" (HTML forms) comment regarding the hotmail fiasco.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an excerpt from a summa ry of the internet auditing project.
Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.
[..]
The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the employee's account! (the phone company identified this was an untraceable overseas caller)
This information could not have been sniffed, since network services are only provided over encrypted SSH sessions.
Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked into 4 days earlier.
[..]
How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those sneaky packets redhanded, transmitting our SSH identification down under.
Hmmm...
I guess their explaination could be true, but I would still feel a bit nervous about using Windows after reading this. Fortunately this issue doesn't concern me. :-)
TedC
Can somebody explain to me why the primary key couldn't be stored in more than one place? Crytographically, having one key stored in two places is no less secure than having two keys, each stored in one place.
Hands up everybody who believes Microsoft's explanation? Nobody? No, I didn't think so.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Microsoft Security Bulletin
d efault.asp.
- --------------------------------
There is no "Back Door" in Windows
Originally Posted: September 03, 1999
Summary
A report alleges that Microsoft "may have installed a 'back door' for the National Security Agency... making it orders of magnitude easier for the US government to access their computers". This allegation is false.
What's the allegation?
The report alleges that a cryptographic key that ships as part of the CryptoAPI architecture is labeled "NSA key" and constitutes a "back door" that could be used by government agencies to start or stop system security services on user's computers.
Is the allegation true?
No. Microsoft does not leave "back doors" in our products. This is in keeping with our historical stance on this issue. For instance, we have opposed the various key escrow proposals that have been suggested by the government, because we because we don't believe they are in the best interests of consumers or the industry.
Are there two keys?
Yes. However, both are Microsoft keys. We do not share them with any third party, including the National Security Agency or any other government agency.
What's CryptoAPI?
CryptoAPI is a Microsoft technology for providing cryptographic services. Vendors can develop stand-alone cryptographic modules called Cryptographic Service Providers (CSPs), which can then be called by any program via the CryptoAPI interface. For more information on CryptoAPI, see http://www.microsoft.com/security/tech/cryptoapi/
What are the keys in question?
The keys are used to verify the digital signatures on CSPs.
Why do CSPs have to be signed? And why by Microsoft?
CryptoAPI is subject US export laws regarding cryptography. One element of this requires Microsoft to ensure that CryptoAPI will only load CSPs that meet US cryptographic export laws. This is done by digitally signing all CSPs. Before it loads a CSP, CryptoAPI verifies that the CSP has been digitally signed. Part of Microsoft's responsibility as the vendor for CryptoAPI is to sign the CSPs.
When a vendor has a new CSP that they want to release, they submit it for signing and show that all export licensing has been received. Microsoft then digitally signs the CSP, and it can thereafter be used by CryptoAPI.
Why are there two keys?
There is a primary and a backup key.
Why is a backup key needed?
The backup key is needed for disaster recovery. To see why, suppose we had only one signing key. If a natural disaster destroyed the building in which it were kept, all of the previously-signed CSPs would continue to function normally, because the key used for verification exists in every copy of Windows. However, Microsoft would need to sign future CSPs using a new key. In order for these CSPs to be verified, matching key material would need to be provided to all of the millions of customers using Windows 95, 98 and Windows NT. Clearly, this would be a massive undertaking.
This is why there are two keys. If something befell the primary key, Microsoft could thereafter sign CSPs using the backup key. Because the backup is already in every copy of Windows, there would be no disruption to customers.
Why the backup key labeled "NSA key"?
This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to known within Microsoft as "the NSA keys", and this name was included in the symbol information for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.
I heard that there is a third key in Windows 2000. Is this true?
There is a third key present in the beta versions of Windows 2000, but it does not provide a "back door". It is simply a test key that allows the developers to sign test CSPs while Windows 2000 is under development. It will not be present in the production version of Windows 2000.
Does this have any effect on CryptoAPI's compliance with US export law?
No. The CryptoAPI architecture is fully compliant with US export law.
Revisions September 03, 1999: Bulletin Created.
-----------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
© 1999 Microsoft Corporation. All rights reserved.
this
Jeez, get a life. Get at least 2.0.38 please.
No, I got the same page, yet the IIS scripts claim I have 2.0.32, not one of the 2.2 kernels. Why they don't just write a page and post it with a simple link is befond me. They must have a network of scripts to spin every document that comes out of that place.
Its like they are trying to automate thier PR department by scripting. I'm waiting for someone to come up with a Microsoft PR generator page so anyone can create hype with a spin on the fly.
*IF* Microsoft has half a clue, they're using a *hardware* encryption key to sign their most critical information. These are devices that require physical keys to operate, and they are designed so that they won't reveal their private keys. (Some allow "cloning" another hardware device, others do not.) In practice, these are items that are kept in your deepest vault and used to sign the software keys that you use for routine signing.
Assuming MS uses one of the latter, having a "hot spare" might make sense...
... except, as the BUGTRAQ article notes, Microsoft's explanation still makes absolutely no sense. There's no apparent key hierarchy (isn't the crypto key signed by a master MS key?), there's no apparent rollover mechanism, and there's the insane assumption that there can only be one major physical disaster befall Microsoft. That's crazy; during the World Trade Center bombing at least one company had lost both primary and backup sites!
Ironically, I find this makes MS's story seem *more* likely. The corporate culture is notorious for its "performance is not my problem; computers will be faster next month" mentality, and this ill-informed, brute force way of dealing with the subtle issues of key management matchs that culture!
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken