Slashdot Mirror
Microsoft NSA key Follow-Up
Signal 11 writes "Bruce
Schneier at Counterpane has some interesting comments about the so-called NSA key embedded into all current versions of windows.
" If you missed the fireworks, read the first story or Microsoft response.
yes, it seems that the NAME of a key is a bit weak evidence to use.
However, I think people began to have more fun with the "government has evil plans" conspiracy theories and they lost track of the real topic. So far, there seems to be no *real* evidence of anything, either way, at all.
the real lesson should _not_ be "be afraid of MS and the NSA", it should be "THINK about what you are reading and get more information".
If you don't, you will be one of the unsuspecting masses who will get blinded by propaganda.
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
A buffer overflow.
A buffer overflow that they know about, is not publicized and is not getting fixed.
In fact this is absolutely indistinguishable from an honest mistake of a sort that is so common that nobody would think twice. But still it allows any access that they want.
Now all of that said, there is more. Remember a long time ago that Bruce Perens came out with warning that a proprietary company could submit a patch with a backdoor which they could then exploit later against OSS? Remember how he got flamed over it? People were saying, "What are they going to do? If they put in an if condition, anyone can see it and remove it. They would never do that!"
Um, not quite. They could do it by putting a buffer overflow in a known place. It looks just like an honest mistake, there are lots more just like it scattered through plenty of OSS projects. If caught it is a minor oops, not even a hint of suspicion.
The moral is that as long as buffer overflows are accepted and common, backdoors for those we don't want to have them will be easy to come by.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Or are we proving once more that if you have enough money, you're above the law?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
To answer question 1: Just about anyone has access to ALL of the NT Source. You should have seen the server(s) get slammed when this came out: everyone looked for it themselves.
#1 is correct, and I'm sure it's the main reason.
:).
#2 is incorrect -- all symbols were stripped, both _KEY and _NSAKEY. Symbol stripping is standard on executable releases; it reduces bulk and helps keep dirty names out of releases.
#3 is amusing -- you use the phrase "so many smarter things to do" and "Microsoft" in the same sentence. Face it, Microsoft has always been stupid. And getting bigger doesn't help -- the IQ of a group is equal to the minimum of the IQs of its members, divided by the size of the group (as a Debian user, I'm unhappy about that rule
#4 is just SO wrong it's not funny. Most every OS vendor, and many other software and hardware vendors, have deals to ship this stuff.
-Billy
I have to agree with Bruce's (and quite a few /. readers') take on this. If the NSA really did put a back door into Windows, they'd make damn sure no one could find it. Ever. That's why they're called "spooks".
Besides, with Echelon, they don't even need the back door......
I like your theory. Hopefully it will get moderated up a few points (hint!)
:)
Here is my theory, which goes along with yours:
There is a small team of M$ programmers who take pride in the code they are crafting, and have worked hard to create a working Crypto API. At some point, the NSA sends around their "pressure tactics" team to influence how crypto modules get signed. These guys are good, without a doubt they have been trained in psychology and have rehearsed and play-acted the scenario many times and are now *VERY* effective at persuasion.
M$ management crumbles like a bunch of spineless wimps, giving in to every demand of the NSA, and then order the crypto team to implement a second key for the NSA, in effect nominating a second "root" CSP. You need to have a dual root system to do effective Revocation Lists, but it is not necessary.
So the programmers implement the second key, but chafe at being forced to do a weak crypto implementation. So they make sure the second root key can be replaced without breaking their crypto API, although replacing the M$ root key will cause a failure. They even give the variable the name _NSAKEY so others who maintain the code know what shit is going on.
Then someone in the software build group who pulls together all the source code from each project and does the compiles, forgets to strip symbols and the _NSAKEY symbol is left in the code.
Now the world knows it can rip out the second root key, and let windows fail the check with the first root and failover to the second. Now you can set up any strong crypto system yourself, but this is probably most useful for foreign banks and governments who can afford an expert to set up and test the system before rolling it out.
And the word gets out a little louder than before: U.S. crypto laws are there to make the NSAs job easier, not to protect american citizens or e-commerce or privacy or anything else.
But the best quote today from anonymous (finkPloyd) coward is:
Let's face it, if you are depending on Windows for security, you have more problems than the NSA
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Intresting comments from an even more intresting guy.
I got to meet him a the Neal Steaphenson Cryptonomicon book signing here in Minneapolis a couple of months ago.
I got him to sign my copy of Applied Cryptography. The signature was
OJNE
EHTY
KOOB
Now, how cool is that? Definately seems like the kinda guy I'd like to take out for some beers some time.
Hell, I started spouting off about my plans to wire my vintage telegraph key into my COM port so I could have a 'backup' for my e-mail program. He liked my idea and said to shoot him an e-mail when I get it working, he'd pay me to work up one for him too.
Just some after lunch ramblings.
You are quite right, but are also reading far more into my post than I put there. As I said, for a two key system to make sense you need a secure way to switch the keys. Take a look at PGP's method for key revocation (note that it is recommended that a revocation message be generated WHEN THE KEY IS GENERATED). Now, the fact that apparently MS has no formal method for switching keys is why I described their implementation as "brain dead."
As for your first point, I agree. But if you had a secure way to switch between two keys, it would be a smart thing because you could keep signing things even in the event of a compromise and you would not have to get a new copy of the software with a new public key to everybody in order to do so. However, since MS's scheme trusts both keys, I agree with you that two copies of one key would be functionally equivalent.
I think what stinks is that MS is a closed source company. You can't know for certain what they are doing or why. You are only as secure as MS knows you. You, you have no idea. Yeah, I like that.
This just shows again how Microsoft is content to dick around with the government and consumer alike.
Screwing the customer, by creating a secuirty mechanism that can be easily bypassed (if a replaces NSAKEY with a new one, then all your crypto modules can be replaced with insecure versions)...
On the flip side, they're blatantly disregarding the gov't's export requirements by allowing this key to be replaced abroad. So much for disallowing the export of strong crypto... They can just ship a weakened product and let people oversea's implement the changes.
No matter how you feel about encryption, privacy, etc... THIS IS A BAD THING. Bad for the consumer, bad for the government, and just bad policy. As we touched on in one of the previous discussions, why in the world did they need to create this "backup" key in the digital age?
I'd hope to expect that Win2000 ships with just a single key to compare signed code with, or at least bothers to check the signature of the back up key as well... Though I like the idea of myself being able to implement whatever cryptography I'd like, I don't trust anyone enough to go and implement new & imporved modules without my explicit approval
The strength of encryption is based not on how big the keys are (sorry, but 32kbit keys are just plain unneccesary), but on how hard it is to get the plaintext, based on the crypttext and other known information. If the secrecy of your credit card numbers depends on other people not knowing the algorithm, or the implementation, of your encryption, then your encryption is pretty darn weak. Once the algorithm leaks out (due to espionage or hacking), your secrets are out.
The best encryption for one to use has five components working for it:
In the case of the CryptoAPI, we don't have an open-source implementation, nor do we know the details of the development of the CryptoAPI. Microsoft has all this information and isn't about to release it to anyone. Because of this, we don't know if the analysis of the CryptoAPI is sufficient. Therefore, we should consider Microsoft's CryptoAPI package untrustworthy.
Finding God in a Dog
Ladies and gentlemen, we apologize for this simple misunderstanding, but apparently the $NSAKEY was not, I repeat, was NOT, an NSA backdoor. After a thorough investigation and careful examination of all facts, it turns out that $NSAKEY was actually a weather balloon flying over some swamp gasses.
Previous reports to the contrary are false. Indeed, they never happened. In fact, I don't remember any previous reports to the contrary. In truth, I don't even know why I'm telling you any of this, because we have received no credible reports of an NSA Backdoor in any windows platform.
Next week we will start investigating reports that farmers are finding strong encryption algorithms burned into their crop fields. Until we discover more about this pheonomena, we are banning all crop exports immediately and reclassifying corn, wheat, and other grains as munitiions.
Thank you for your support in this matter.
Signed,
The Federal Government
Eviscerati.Org: All Hail the Eviscerati
For all the bad press MS is getting, is it possible that they made the second key weak for a reason? Think about it - by making this second key relatively easy to change, that means that non US/Canadian servers running WinNT could implement high security - a feature many outside these countries want. Although MS can't officially sell their software with this encryption, they can "mess up" and allow others to do it for them, thereby sticking it to the government.
How's that for a conspiracy theory?
Unfortunately, MS suffers from the same credibility gap as certain others do. The surest way to know they are lying is to check and see if their lips are moving.
Even after their answers, The questions remain.
Why are there 2 keys?
Why are the keys replacable?
Who has had access to them? aside from a hoarde of programmers doing daily builds.
Doesnt the daily build mean the two keys are stored in the same building?
Is only 1/2 oh this building "natural disaster proof"?
What happens now that the key locations are known?
How long before they are cracked?
Once they are cracked, cant I use ms_key to replace nsa_key?
Have your keys been replaced?
Will they be replaced again.
Can they be replaced via activeX/java?
All in all, I find the story without credibility.
The tone in his second writing does not support the tone of his first.
What changed his mind? Why is this such an insignificant security hole in comparison to the major hole at the time of the first writing?
Who convinced him otherwise?
I am sorry, but having listened carefully to this and other arguments presented by MS and its minions, I will need some convincing.
Until then, I will continue to recommend that all MS products be removed from "secure" corporate machines.
Steve Ruyle
Ex Libris Veritas
There's at least one thing Microsoft and Schneier are not kidding about - the MS CAPI verification keys DO NOT PROVIDE SECURITY, nor do they intend to. They enforce export restrictions.
If you send Microsoft a CSP which encrypts data by XOR'ing with a stream of zeroes they'll sign it as long as you have the appropriate license. They don't care, nor should they.
Think about it. If Microsoft were actually certifying that any signed CSP provided a good strong crypto implementation, then any customer who discovered a flaw in a signed CSP could sue. And would. Microsoft wouldn't even consider putting themselves in that position.
Therefore if I work for the NSA and I want to install a crippled CSP on your system, I ask Microsoft to sign it. And they will, no security questions asked. The only thing having my own key would buy me is not having to wait for them to get through the process.
/* The beatings will continue until morale improves. */
If I recall correctly, there are several warnings in AC (at least the first edition) warning against using the work of amateurs.
That said, Blowfish and Twofish do seem to have passed muster with world-class cryptographers, which is a tremendous achievement; and I have tremendous respect for Schneier.
thad
I love Mondays. On a Monday, anything is possible.
But why didn't MS give this explanation then? At MS' site on the subject it says the key is specifically for disaster recovery. Not anything else. I really still don't understand why DR could cause the neccesity of this. Your explanation makes sense though. Theirs does not.
I was wondering about that, too. Why would they give an explanation that clearly makes no sense? I think it's a PR concern. Talking about natural disasters is OK -- publically raising the issue of a compromised key is not.
What I'm listening to now on Pandora...
The true importance of this news item never had anything to do with practical matters of security. If you're concerned with and knowledgeable about computer security, you're probably not using Windows -- especially if you're trying to keep the NSA out.
The real issue is the effect this story will have on Microsoft's international image. They are already considered to be very Americocentric (as are many other American companies, to be fair). Remember Microsoft's refusal to produce an Icelandic version of Windows? They ticked off lots of non-Americans with that move, not all of them in Iceland.
The idea that Microsoft would truckle to the whims of an American intelligence agency only worsens the problem. It didn't turn out to be true, but people aren't going to remember that. They'll remember the accusation far longer than they'll recall the exoneration.
It sucks, but the truth just isn't an important factor in shaping public opinion. Microsoft lost big on this one.
--
Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
We're talking about the single largest employer of mathematicians in the world. Although I'd imagine the gap has dwindled as more people get into the field (when I was at Brown, at least two professors in the math department were actively doing crypto-related research), it seems likely to me that the NSA is still at least three years ahead of the civilian research world.
Only a guess, though. The NSA knows, but they aren't telling.
I didn't know what a meme was, so I asked five friends. They didn't know what a meme was, so they asked five friends.
The NSA did not do this: Microsoft did this. It did it to cause fear, uncertainty and doubt about the U.S. Government in foreign markets. Microsoft wishes the world to put pressure on the USA to back off on Microsoft. On the one hand there's the antitrust case (GEE, DO YOU SUPPOSE DISTRUST OF GOVERNMENT WOULD PLAY IN THEIR FAVOR?), and on the other hand there is encryption restrictions, and in order to be in a position to effectively fight Unices and Linux internationally, Microsoft has to be allowed to ship encryption anywhere they like, including to enemies of the USA. After all, those enemies can use Linux: stopping Microsoft from doing business with enemies of the USA means getting in their way and impeding their business.
This is a trial balloon for a new geopolitics: it says in BIG RED LETTERS, "hands off Microsoft, USA". It's not a message for America- it is a message for the rest of the world. "Look! Unless something is done, the worldwide monopoly on computers and communications will be a tool of the USA! Wouldn't you rather it was just a worldwide monopoly beholden to nobody, with no loyalties at all?"
I must say I've been expecting this: I've been certain for some time that MS had no loyalty to the USA at all, and that they would find a way to cut the apron strings. It's typically ruthless MS marketing that the way turns out to be casting fear, uncertainty and doubt at the NSA by a childishly transparent ploy. Nothing that I've ever heard about the NSA suggests that they would tell MS to build in a key for them, allow it to be named 'NSAKEY', not _check_ to see if MS did it right etc etc etc. That's ludicrous- competent or incompetent they are too _paranoid_ to allow themselves to be betrayed that stupid way, therefore it's not them (and they probably have YA-key that nobody knows about, knowing them).
Since it's not the NSA which laid that carefully planted clue, and since it came from somewhere inside Microsoft, the question becomes "Why would Microsoft produce such a clue to cause fear of the NSA?" and I think what with the antitrust case and the blocks against exporting encryption, it should be quite obvious why Microsoft now sees fit to backstab the U.S. Government itself.
It is possible for a "middleware" product like the CryptoAPI to be insecure, but not likely. I still wouldn't trust Microsoft's own encryption modules though (the ones actually CALLED by CryptoAPI). For one thing, a good PRNG to get randomly-distributed keys is VERY hard to write. I just finished writing one because every distributed PRNG that I came across produced predictable keys (meaning that you don't have to brute force all possible keys to break the encryption, just the keys produced by the pseudo-random number generator, which proved not to be so random!). I seriously doubt that Microsoft got the PRNG right, and Bruce Schneier's own "Yarrow" PRNG is perfect proof of that (Bruce has a paper on his site, www.counterpane.com, detailing attacks on a PRNG that will let you crack encryption in MUCH less time than a pure brute-force attack).
-E
Send mail here if you want to reach me.
Can someone explain the MS response? Why do they need the backup? If you have a natural disaster where the primary key is held then the backup key would be used which is held at a different place. Why not just have 2 copies of the primary key? I hope there is something obvious that I don't see.
-cpd
This whole issue has been fun to watch. When I read the first message about how Microsoft had the NSA key in Windows, I kinda wondered if they would really do that.. Couldn't really decide either way.
But the number of people that read it and instantly assumed it was true was astounding. I've had friends ask me out of the blue about it. I've heard of it through mainstream media. I've seen story after story about it.
Most of the the media people still won't admit it was jumping to conclusions. That's what really bothers me. They're mostly sticking to the "well Microsoft says it's false but who can know for sure" lines to cover their own asses (and credibility).
A Wired story says "Questions lingered Friday over whether or not security experts overreacted to a scientist's charge that Microsoft built a backdoor in Windows for a US spy agency to enter". Isn't it fairly clear that they overreacted? Or is this going to happen again the next time?
(If it's a real issue, like the Hotmail thing, then they deserve to get slammed... but come on, let's verify this stuff before we go nuts).
Bruce Schneier:
- Wrote "Applied Cryptography", the best introductory book to the field of cryptography and cryptanalysis;
- Wrote the Blowfish algorithm;
- Wrote with others the Twofish algorithm, one of the finalists of NIST's new Advanced Encryption Standard
There is a lot more. Look around the site...
1) 'Lots of people have access to source code within Microsoft;' - maybe, but most people have only access to code they develop, in fact only a handful of people have 'full' access. Even fewer people have access to the keys themselves. The Caldera antitrust suit brought up some very interesting Microsoft-internal documents that have relevance now: a dozen DOS engineers were reassigned to work on making DrDOS 'as incompatible as humanly possible'. 'Normal' DOS engineers did not even know about this team, the team's real duty was only known to the vice president (Brad Chase in this case). And DOS only had a couple of tenthousand lines of code - with NT's millions lines of code it's not at all hard to 'hide' activity and shield off even top developers from 'the realities of RL'.
2) 'It's called "NSAKEY" for some dumb reason' - yeah, and the symbol name got stipped off from _all previous shipped Windows releases_ (a couple dozen ones, not including localized versions), while $KEY was not stipped? You got to be kidding. $NSAKEY within a crypto module means only one thing.
3) 'There are just too many smarter things they can do to the unsuspecting masses.' - face it, the Microsoft monopoly is valuable to the signal interception community in this regard: it's everywhere. You will not find a single piece of software more widely installed.
4) What was the deal Microsoft cut with the NSA which (uniquely amongst OS vendors) enables them to ship a Crypto API. Crypto-enabling APIs are explicitly forbidden by US export controls, even if they do not ship strong crypto. What was the 'deal' with the NSA?
--Coke
The purpose of the CryptoAPI was to enforce U.S. export controls. The failover to the second key, which can be poked with your own public key (as described in his earlier Crypto-Gram article), means that this mechanism is broke broke BROKE. Like so much else in MS's crypto suite. Sigh.
Read his Yarrow paper and you'll get the context for his comment that it's easier to attack MS's PRNG (pseudo-random number generator) than it is to attack their encryption directly.
-E
Send mail here if you want to reach me.
A fellow graduate student from England told me a story a few years ago about American Intelligence and the atom bomb. The Manhatten Project was our top top secret; we wouldn't even tell our allies about it. However, when the device was detonated, possibly over Hiroshima, the U.S. government gladly distributed time elapse photographs of the expanding mushroom cloud: What a historic moment! What an achievement! From this little bit of information British scientists, and possibly others, were able to deduce the critical mass of U238.
People are careless, dumb and vain: one of the reasons security through obscurity is a bad idea.
I don't believe that the "NSAKEY" allows the NSA to read everyone's email that's encrypted with Windows - that was always an exaggeration. But it's clear that Microsoft are holding something back, because they have not produced a credible account of why the second key is there.
All they say is "in case the first key is destroyed". To which we all say "so why not take a backup"? And after that, it's all *sheer speculation* on our parts about what their actual reasons are, for example about whether they mean "compromise" rather than "destruction" (hint: volcanoes don't compromise keys) or whether there's some other need that backups wouldn't meet. It's speculation because Microsoft haven't told us. All I know is:
* Microsoft have not come up with a believable explanation of why there are two keys, either of which can validate a CSP
* And *neither has anyone else*, not Bruce Schneier, not Markus Kuhn, not any of the people on the mailing lists I'm on. No-one has suggested anything that would make this an even vaguely sensible way to do things, let alone a way past an NSA security review.
Frankly, if I hear a non-fishy explanation for this I'll be quite likely to believe it - it's true about Microsoft's historical stance in favour of strong crypto, even though the whole CryptoAPI signing thing rather goes against that in the first place. Until such an explanation surfaces, though, there's no reason at all to let Microsoft off the hook on this one.
--
Xenu loves you!
There has to be a hierarchy of trust for these to be proper CRLs: ie, less priviledged keys have trust delegated to them by more priviledged keys, so the more priviledged keys can later revoke that trust by signing an appropriate CRL. Both keys are as trusted as each other and can replace themselves or each other.
Schneier's analysis is quite accurate.
--
Xenu loves you!
From BugTraq. It's not on their archive (yet) at www.securityfocus.com, but will be soon:
:)
From: Markus Kuhn
Subject: Re: NSA key in MSFT Crypto API
The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended with strong cryptography. They are certainly not
intended as any useful form of integrity protection for your system.
The NSA got their own CSP verification key, because they want to be able
to change their own secret US government CSPs required for the handling
of classified documents, without having to go to Microsoft each time to
get a signature for an NSA CSP update. Fair enough. So Microsoft built
in a second verification key such that the NSA can produce and install
on DoD PCs their own CSPs without requiring any Microsoft involvement.
The real funny part is that Microsoft did not protect the NSA key
particularly well, such that everyone can easily replace the NSA key
particularly well, such that everyone can easily replace the NSA key
easily with his own key. This was reported by Nicko van Someren at the
Crypto'98 rump session. This means that everyone can now easily install
his own CSPs with arbitrarily strong cryptography. This means that the
NSA's demand to get quickly a second key added led in effect to the easy
international availability of strong encryption CSPs. My guess is that
this is Microsoft's sweet revenge against the NSA for creating all these
Export hassles (e.g., the requirement that CSPs be signed) in the first
place. It backfired nicely against the NSA.
All this has nothing to do with an NSA backdoor, because the CSP keys
are an export enforcement tool and not an integrity protection tool.
They do not protect all parts of the system that could be compromised by
someone who wants to install some eavesdropping malware. The CSP
verification keys only authenticate that no cryptography that violates
export laws has been installed. If you are worried about the NSA
installing malicious software on your PC, you should not rely on the CSP
verification keys (which were never designed for that purpose anyway),
but on virus scanners with tripwire functionality that report any
modifications to your DLLs. There is no digital signature functionality
required to implement these, simple secure hash algorithms will
perfectly do.
Please apply a bit of simple critical thinking here:
If the NSA wanted to have real backdoor functionality, they would much
more likely simply steal Microsofts own keys instead of embedding
additional keys with an obvious symbol name. Remember: The NSA is the
world's largest key thief. They have stolen crypto variables from
well-protected military and government agencies from all over the world
using the usual repertoire of techniques (bribery, extortion,
eavesdropping, hacking, infiltration, etc.). If they can do it with
eastern military agencies, they can most certainly also do it easily
with Microsoft, which is orders of magnitudes less well protected than
the usual NSA target. If there is a real NSA backdoor key in Windows,
that it would certainly be identical to Microsoft's own key.
Markus
Just in case you cant figure out the code...
"Enjoy the book"
Took me about 20 mins to figure it out.
Very cool.