|
Cryptonym Interview Part Three
Mike Hudack
Editor-in-Chief
The interview of Cryptonym owner Andrew Fernandes, the man who discovered the _NSAKey in Windowsī Crypto API. The first and second parts of the interview are both available on OSAll.
The following is as verbatim as possible from the phone interview between Mike Hudack and Andrew Fernandes:
<Mike>: Do you buy the Microsoft explanation that it was named "_NSAKey" because it had been approved by the NSA for export?
<Andrew>: Okay. The way they put it is, theyīve said, it shows it adheres to NSA encryption standards. Thatīs what they said, to the Washington Post, I believe it was...
<Mike>: I think it was AP, but itīs neither here nor there. I may be wrong.
<Andrew>: Well anyway, that was the quote... Iīve got to double-check all my sources. But anyway, thatīs a funny statement because, first of all, the NSA has no encryption standards. Itīs sort of like saying the phrase "military grade encryption." Whenever youīre dealing with a security product and somebody says itīs military grade encryption your bullshit detector should really go off. And the reason for that is that the military has no standards of encryption. The military uses everything from good crypto to bad crypto to crackable crypto to uncrackable crypto to stuff thatīs designed never to be used to stuff that should be used every day. And it uses it for all purposes and everything in between. But the phrase military grade crypto is an absolutely meaningless and content free statement. Similiarly, when you say NSA encryption standards -- the NSA has no public encryption standards. Now, if you take that phrase for what it could mean, the NSAīs job is... if it approves of crypto is to make it weak, to make sure itīs crippled crypto, to make sure it has escrow crypto, or trapdoor or backdoor crypto. That way they can get to your encoded information. If you want good crypto, or crypto standards, those are administered elsewhere. Perhaps, I know the press people are generally non-technical, so they may have screwed that up... Then again.
<Mike>: Iīll tell you from my perspective, it doesnīt make sense. I say that especially because the NSA has no public input on this -- I believe itīs actually commerce department, isnīt it?
<Andrew>: Yeah, itīs Commerce that gives the final export liscense -- but itīs only upon passing technical review by the NSA. Itīs well known that if you want to apply for an export liscense youīre going to have to tango with the NSA... Everyone whoīs ever applied for an export liscense knows that. Now, there are some cryptographers who agree with me, and there are some who disagree with me. I think, doing a rough calculation itīs about 60 / 40 against last I checked. But I think you have to be careful looking at that -- and itīs a business of paranoia, so there you go. I donīt want to start a mud fest, thatīs the last thing you do.
But... For instance, you look at comments by Matt Blaze, he says that Microsoft is using Compaq hardware key storage boxes. And I know this is true because Iīve talked to some people at Compaq who confirm it. I mean, Compaq makes something like 90% of the ones used in the world so thatīs not a big shock. Now, crypto boxes, what these things are... you feed them a stream of data or a hash or something and it spits out a signature for the key which is embedded in the secure box.
It does everything for you, you can never get to that actual key. And furthermore itīs tamper proof -- if the box detects youīre trying to get in there and steal the secret key itīll self-destruct, wiping that key out. So Blazeīs comment basically says itīs conceivable that the second key is a backup to the first because Microsoft could use that first key.
Itīs unlikely it would be exposed, but itīs conceivable the key would be lost. That way they could just sail over to that second key. Thatīs a technically sound explanation. And Blaze is a smart guy, heīs been working in crypto for a while. I donīt know if heīs thought it all the way through -- and I havenīt spoken to him about this, so Iīm not saying heīs dense or anything...
If you take that a bit further, it doesnīt say why that second key was called "_NSAKey" as opposed to "Key2" or "BackupKey" or something like that... But second, what I think he didnīt think about -- or maybe heīs wrong or differing in our experiences -- is that itīs well known that they will destroy their key internally if they detect any tampering. So that triggers a denial service attack -- if I really want to screw someone Iīll just pop a paperclip in the box and itīll zero itself.
<Mike>: I think a lot of my readers know too much about DoS attacks...
<Andrew>: So if the designers know about this problem -- the more secure you make the box the easier, the more readily itīs going to die.
<Mike>: Well you have to keep them physically secure as well as have backups.
<Andrew>: What they do is, all these boxes allow you to export the key. They encrypt it using a symmetric key like Triple-DES and you can split it amongst your three or five or ten or whatever most trusted compadres. You can split it among the country, et cetera...
So if your crypto box does zero out thatīs how you can get the key back -- thatīs how you do key backup. Thatīs how intelligent people do it. But then again, Microsoft has never been accused of doing intelligent crypto or designing intelligent protocols despite the huge number of cryptographers and protocol designers they employ.
For instance, the password silliness theyīve done -- how password files are protected.
<Mike>: Oh yeah. Storing them in hex is going to do it!
<Andrew>: So itīs conceivable, but when faced with those two bits of evidence it doesnīt make sense.
To Be Continued... Yet Again... |
