|
MS Integrating NSA Backdoor?
Mike Hudack
Editor-in-Chief
Cryptonym (cryptonym.com) broke the story at midnight last night and it's exploded. Microsoft seems to have incorporated a backdoor for NSA use in Windows 95osr2, Windows 98, Windows 98 SE, Windows NT 4 and (the upcoming) Windows 2000. The implications of this backdoor do not stretch to United States citizens, but all foreign nationals should take note.
The backdoor involves a second key added to the Microsoft Crypto API.
There are two possibilities as to the second key: It could be an NSA backdoor (at this point it seems the most likely explanation), or it could be a programmer's joke (it DOES happen guys). Alternately, the Microsoft explanation that it's an "export key" is implausible for many reasons, including that both keys are distributed to everyone, US or international.
Ever since Windows 95osr2 Microsoft has integrated "security" services into its operating systems. These services may be installed by Microsoft at any time (they ask you out of the kindness of their heart). A good example of their use is Windows Update, which is standard with Windows 98 and 98 SE. In order to verify the veracity of security services, Windows ensures that they are signed by Microsoft. To verify this, Windows uses the Microsoft public key it ships with.
Crypto API is supposed to be used by developers to incorporate their own crypto algorithms into Windows in much the same way as "printer drivers are used," according to Microsoft.
For years people who reverse engineered Windows noticed a second public key that shipped with Windows. The purpose of this key was unknown but no one considered it a security risk -- assuming it belonged to Microsoft or was nonfunctional. The identity of this key's owner has, however, been identified. In Windows NT 4 Service Pack 5, the key is called "_NSA" -- obviously referring to the famous National Security Agency, the US spy agency which is larger than the CIA.
Microsoft has commented by saying that the name "_NSA" referred to the "fact" that it had been approved for export by the NSA. The Commerce Department is in charge of approving cryptography for export, however, not the NSA.
Although the NSA is prohibited by executive order from spying on US Citizens, this integration allows them to install any software on a Windows machine at their own leisure, opening the machine's entire contents to the NSA. It has long been assumed that the NSA had trojans to allow them access, but this makes it much easier than previously assumed.
The NSA would not officially comment on this subject although we faxed them. Our NSA contact will not speak to us from his or her office and will hopefully be relying to our voice mail by the end of the day.
In addition to the security services which have been included with Windows since 95osr2, there is the upcoming Microsoft PKI, or Public Key Infrastructure which is to be bundled with Windows 2000. This system is meant to replace all current PKIs in use with a standard. It can only be assumed that since Windows has a built-in backdoor that the Microsoft PKI does as well. Encryption programs have already been released using the Microsoft PKI and it was assumed that more would follow.
Late Update: US Citizens
It appears that there is a second rogue key in Windows 2000. It's assumed that this key belongs to the FBI.
OSAll spoke with an FBI spokesperson who assured us that "the FBI does not comment on issues such as this." We were aware that this was their policy, to neither confirm nor deny, but we figured we'd try anyway.
Official Microsoft Comment
We received voice mail, the extension was busy. We're expecting a call back.
We have also sent them an e-mail. We may or may not get a response soon.
We have also sent a page to their PR person. Our confirmation number is 7233, and we expect to receive a response to our page shortly (we marked it "urgent"!).
Microsoft Cyprto API Definition
In recent years, many companies, individuals, and government institutions have devised their own algorithms based on variations of the public-key and symmetric-key approaches. At least for now, the stronger candidates among these methods are quite secure indeed. One remaining problem of using encryption generally has been a lack of standards. Not only are the algorithms used very different, but even with the same published algorithm, software implementations done by different people can result in incompatible encrypted output.
Initiatives such as Microsoft's crypto API are exciting in their potential, because their modular design addresses the problem of encryption standards. With the crypto API, users can install any third-party cryptographic algorithms as simply as they install a new printer driver. Programmers are free to concentrate on building applications that can make use of whichever algorithms are chosen by the users (subject to certain restrictions, such as the applicability of the algorithm to encryption of streaming versus blocks of data, or key-only types of encryption algorithms).
A cryptographic service provider (CSP) is any agency that offers an algorithm, or a set of algorithms, that corresponds to the crypto API interface. Through this interface, application software is able to make use of encryption algorithms by selecting them at runtime.
Note:
The tone of this story has changed from definate to possible. This is only because we have yet to independantly confirm this backdoor. We still believe it though.s
Related Stories:
NSA Ramifications
NSA FUD
NSA and Kids
NSA Colleges
Microsoft "Security"
MS Security |
