NSA and MS windows

5 views
Skip to first unread message

Michael Slass

unread,
Sep 3, 1999, 3:00:00 AM9/3/99
to
According to
http://www.cnn.com/TECH/computing/9909/03/windows.nsa/

"(CNN) -- A cryptography expert says that Microsoft operating systems
include a back door that allows the
National Security Agency to enter systems using one of the operating
system versions.

<snip>

"It turns out that there are really two keys used by Windows; the first
belongs
to Microsoft, and it allows them to securely load (the cryptography
services),"
said Andrew Fernandes in a press release. Fernandes works for Cryptonym,
a
company based in Ontario.

The press release states "the second belongs to the NSA. That means that
the
NSA can also securely load (the services) on your machine, and without
your
authorization."

I was aware that Windows had unintentional security holes, but this is
the first I've heard of intentional holes. Anyone know anything about
this?

-Mike

Bruce Schneier

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
On Fri, 03 Sep 1999 14:27:30 -0700, Michael Slass <mik...@wrq.com>
wrote:

>According to
>http://www.cnn.com/TECH/computing/9909/03/windows.nsa/
>
>"(CNN) -- A cryptography expert says that Microsoft operating systems
>include a back door that allows the
>National Security Agency to enter systems using one of the operating
>system versions.

A few months ago in my newsletter Crypto-Gram, I talked about
Microsoft's system for digitally signing cryptography suits that go
into its operating system. The point is that only approved crypto
suites can be used, which makes thing like export control easier.
Annoying as it is, this is the current marketplace.

Microsoft has two keys, a primary and a spare. The Crypto-Gram
article talked about attacks based on the fact that a crypto suite is
considered signed if it is signed by EITHER key, and that there is no
mechanism for transitioning from the primary key to the backup. It's
stupid cryptography, but the sort of thing you'd expect out of
Microsoft.

Suddenly there's a flurry of press activity because someone notices
that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned
crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it
would be much easier to either 1) convince MS to tell them the secret
key for MS's signature key, 2) get MS to sign an NSA-compromised
module, 3) install a module other than Crypto API to break the
encryption (no other modules need signatures). It's always easier to
break good encryption.

Second, NSA doesn't need a key to compromise security in Windows.
Programs like Back Orifice can do it without any keys. Attacking the
Crypto API still requires that the victim run an executable (even a
Word macro) on his computer. If you can convince a victim to run an
untrusted macro, there are a zillion smarter ways to compromise
security.

Third, why in the world would anyone call a secret NSA key "NSAKEY."
Lots of people have access to source code within Microsoft; a
conspiracy like this would only be known by a few people. Anyone with
a debugger could have found this "NSAKEY." If this is a covert
mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as
Microsoft says, a backup key. It's called "NSAKEY" for some dumb
reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use
Microsoft products for classified traffic, they're going to install
their own cryptography. They're not going to want to show it to
anyone, not even Microsoft. They are going to want to sign their own
modules. So the backup key could also be an NSA internal key, so that
they could install strong cryptography on Microsoft products for their
own internal use.

But it's not an NSA key so they can secretly install weak cryptography
on the unsuspecting masses. There are just too many smarter things
they can do to the unsuspecting masses.

My original article:
http://www.counterpane.com/crypto-gram-9904.html#certificates

Announcement:
http://www.cryptonym.com/hottopics/msft-nsa.html

Nice analysis:
http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52

Useful news article:
http://www.wired.com/news/news/technology/story/21577.html
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com

Thomas J. Boschloo

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
Bruce Schneier wrote:

[1]


> Microsoft has two keys, a primary and a spare. The Crypto-Gram
> article talked about attacks based on the fact that a crypto suite is
> considered signed if it is signed by EITHER key, and that there is no
> mechanism for transitioning from the primary key to the backup. It's
> stupid cryptography, but the sort of thing you'd expect out of
> Microsoft.

[2]


> Two, that it is actually an NSA key. If the NSA is going to use
> Microsoft products for classified traffic, they're going to install
> their own cryptography. They're not going to want to show it to
> anyone, not even Microsoft. They are going to want to sign their own
> modules. So the backup key could also be an NSA internal key, so that
> they could install strong cryptography on Microsoft products for their
> own internal use.

Well, about using Windoze as a secure OS for classified traffic.. hmm..

But if the NSA got this involved in ADVAPI32.DLL, why would they not
address [1]? They surely don't want Microsoft being able to trojanize
their traffic in the way the NSA now seems to be able to trojanize ours?
I would think that they would make the second 'backup' key prevalent
over the first! Like you suggested.

And because MS claims that the second key was generated by them (at
least I think they do in
<http://www.microsoft.com/presspass/press/1999/sept99/rsapr.htm>), [2]
seems no valid possibility. The NSA would want to generated their own
key and keep the private component secret to Microsoft and the rest of
the world.

So that leaves possibility 'one':

> I see two possibilities. One, that the backup key is just as
> Microsoft says, a backup key. It's called "NSAKEY" for some dumb
> reason, and that's that.

> But it's not an NSA key so they can secretly install weak cryptography
> on the unsuspecting masses. There are just too many smarter things
> they can do to the unsuspecting masses.

What I am worried about is installing signed ActiveX trojans.
<http://www.ccc.de/radioactivex.html> But I am not sure if I understand
the subject well enough for this to be an issue.

Highest Regards,
Thomas J. Boschloo [Netherlands, it's getting morning]

BTW, I will check out the extra links! (If I can keep my eyes open).
Here are some I just posted to alt.security.pgp:

http://www.techweb.com/wire/story/TWB19990903S0014
http://www.microsoft.com/presspass/press/1999/sept99/rsapr.htm
http://www.ccc.de/CRD/CRD19990903.html (German)

(probably later)
http://www.zeroknowledge.com/
http://www.nsa.gov:8080/

And Scott19u Guy seems to have found a link at abc news (which he forgot
to post).

> http://www.cnn.com/TECH/computing/9909/03/windows.nsa/
> http://www.counterpane.com/crypto-gram-9904.html#certificates
> http://www.cryptonym.com/hottopics/msft-nsa.html
> http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52
> http://www.wired.com/news/news/technology/story/21577.html

--
AMD K7 Athlon 650 Mhz! <http://www.bigbrotherinside.com/#help>

PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl


Red_Blue

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
Bruce Schneier wrote:

> Suddenly there's a flurry of press activity because someone notices
> that the second key is called "NSAKEY" in the code. Ah ha! The NSA
> can sign crypto suites. They can use this ability to drop a Trojaned
> crypto suite into your computers. Or so the conspiracy theory goes.

First of all, implementations that don't use CryptoAPI are secure from
this, such as SSL and S/MIME in Communicator, and PGP. So only fully MS
made security systems are affected because they have two trusted "root"
keys instead of one. Right?

The question is what actual methods of attack could be used to exchange
the current Microsoft RSA Base Provider CSP module used by Explorer or
Outlook with a weakened one that is signed with a key replaced by the
attacker? And would this attack be so much more difficult than an attack
which disables the verification instead of changes one of the two keys,
that it would constitute a significant increase in actual risk of this
kind of "weaken-the-crypto-suite-attack"?

Jere Hakanen


Roger Schlafly

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
Bruce Schneier wrote in message <37d07e29...@news.visi.com>...

>I see two possibilities. One, that the backup key is just as
>Microsoft says, a backup key. It's called "NSAKEY" for some dumb
>reason, and that's that.

Maybe. Perhaps someone from the NSA suggested using a
backup key, and the MS programmers called it the NSA key.

>Two, that it is actually an NSA key. If the NSA is going to use
>Microsoft products for classified traffic, they're going to install
>their own cryptography. They're not going to want to show it to
>anyone, not even Microsoft. They are going to want to sign their own
>modules. So the backup key could also be an NSA internal key, so that
>they could install strong cryptography on Microsoft products for their
>own internal use.

I doubt it. I can understand NSA not wanting to show its crypto
module to MS, but it wouldn't have to anyway. If the NSA wants
a CAPI module signed, all it has to do is to give an MD5 hash
to MS, and MS returns a signature. Quick, and revealing nothing.

I think this second explanation only makes sense if it is part
of some NSA scheme to plant bogus CAPI modules somewhere.
Legitimate modules could be signed in the normal way.

Ralf Stephan

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
Thomas J. Boschloo:
>Bruce Schneier wrote:
>[argument for MS stupidity]

>So that leaves possibility 'one':
>
>> I see two possibilities. One, that the backup key is just as
>> Microsoft says, a backup key. It's called "NSAKEY" for some dumb
>> reason, and that's that.

But then, MS could have easily confirmed that, instead of
making yet another foggy statement (see sig from Wired).
Maybe, if 1 is true, we see the first real hiccup in MS's
spin control machine --- the Halloween papers were not quite
as disturbing as this.

As others said, now is the time to open the source.


ralf
--
http://www.in-berlin.de/User/rws/
"_NSAKEY signifies that it satisfies security standards." (Microsoft)

pbboy

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
NSA : "P-p-p-please sign this thingamajig, Mr. Gates. I'll do anything
you want...I'll be your best friend...!"
Gates: "HA! Lick my feet! Bow to me, the omnipotent Gates!"
NSA: *Lick-lick-slobber-slobber* (wipes crusties from mouth, removes gum
from forehead) (*sniffling*)"Now w-will you sign it?"
Gates: "No! Do it again, just so you know who's boss!"

I don't think so.


Maybe I overestimate the NSA's power, but why would the NSA _ask_ MS for
anything?!? This is a game, people! Why hack/crack/reverse-engineer
anything? The NSA has soooo much influence, and even more power they don't
need permission for anything like this. Here's the way I would obtain
anything from anyone, including MS.

Moles

1) Recruit some young brilliant software engineer, one that even MS would
fight for.
2) Send him on a mission: Get recruited by MS (they hire by the bus-load,
i hear)
3) lay low for a while, gaining trust (read: security clearance) from the
Company.
4) Somehow get assigned to the "encryption and security" (hehe!) task
force
5) keep head quarters (NSA) informed about the direction the company is
taking towards its security =) features
6) Hand over the source and any other info pertaining to the mission.
7) remain in MS as long as possible, divulging as many secrets and as much
dirty laundry as possible (NSA just LOVES secrets!) Could lead to future
extortion / blackmail / bribery of high ranking executives ect..
8) Gain as high a position as possible in the Company to have a more
direct influence over it and its future

Espionage, corporate espionage. now that's fun!

I don't doubt for one second the above scenerio, or a similar one, hasn't
happend yet or is taking place as we type.

OR

Maybe I underestimate MS's power....

--------

pbboy


HEHE! Do you really think, IF the NSA were to use any MS products, they
would actually pay for the licenses? Do ya think the NSA has a software/OS
engineering department of their own?


SCOTT19U.ZIP_GUY

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
In article <7qqgs3$oan$1...@nntp5.atl.mindspring.net>, "Roger Schlafly" <nospam....@cruzio.com> wrote:
>Bruce Schneier wrote in message <37d07e29...@news.visi.com>...
>>I see two possibilities. One, that the backup key is just as
>>Microsoft says, a backup key. It's called "NSAKEY" for some dumb
>>reason, and that's that.
>
>Maybe. Perhaps someone from the NSA suggested using a
>backup key, and the MS programmers called it the NSA key.
>
>>Two, that it is actually an NSA key. If the NSA is going to use
>>Microsoft products for classified traffic, they're going to install
>>their own cryptography. They're not going to want to show it to
>>anyone, not even Microsoft. They are going to want to sign their own
>>modules. So the backup key could also be an NSA internal key, so that
>>they could install strong cryptography on Microsoft products for their
>>own internal use.
>
>I doubt it. I can understand NSA not wanting to show its crypto
>module to MS, but it wouldn't have to anyway. If the NSA wants
>a CAPI module signed, all it has to do is to give an MD5 hash
>to MS, and MS returns a signature. Quick, and revealing nothing.
>
>I think this second explanation only makes sense if it is part
>of some NSA scheme to plant bogus CAPI modules somewhere.
>Legitimate modules could be signed in the normal way.


Surely the NSA would never attemp anything like that.
I wonder how many people will be switching to Linux in the
next few weeks. Does any one really trust what others gems
Bill and the NSA have up there sleves. It may be fun to
watch MSFT ( I hope this is correct symbol for them) stock
the next week. I for one am lucky enough not to have any
stock in them. But only becasue of moral reasons.

David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS

SCOTT19U.ZIP_GUY

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to

What you file to realize is that the NSA would use all means to corrupt the
MS sytem for there uses. So your right in assuming that the NSA has moles
in MS it only makes sense. But that does not mean another department of the
NSA also is buddy buddy with Gates and they team up to put back doors.
Ms is closed source and problably full of holes. As Gates once said no one
needs more than 650K. While then why is his stuff so complex.

Don't forget in the US government the same time we give add to crooked
countries around the world proping them up. We may be paying more money
through the CIA to take them down. Its the American way.

Bruce Schneier

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
On Sat, 04 Sep 1999 09:33:55 +0300, Red_Blue <red_...@hotmail.com>
wrote:

>Bruce Schneier wrote:
>
>> Suddenly there's a flurry of press activity because someone notices
>> that the second key is called "NSAKEY" in the code. Ah ha! The NSA
>> can sign crypto suites. They can use this ability to drop a Trojaned
>> crypto suite into your computers. Or so the conspiracy theory goes.
>
>First of all, implementations that don't use CryptoAPI are secure from
>this, such as SSL and S/MIME in Communicator, and PGP. So only fully MS
>made security systems are affected because they have two trusted "root"
>keys instead of one. Right?

That is correct.

>The question is what actual methods of attack could be used to exchange
>the current Microsoft RSA Base Provider CSP module used by Explorer or
>Outlook with a weakened one that is signed with a key replaced by the
>attacker? And would this attack be so much more difficult than an attack
>which disables the verification instead of changes one of the two keys,
>that it would constitute a significant increase in actual risk of this
>kind of "weaken-the-crypto-suite-attack"?

Don't know. It's a good question.

If I were going to Trojan a crypto API, I would weaken the random
number generation process. Attacking the algorithms would mean that
the Trojaned operating system could not communicate with non-Trojaned
operating systems. Adding a subliminal channel would be too obvious
if noticed. Putting in a lousy PRNG would be viewed as a mistake made
by the original designers.

Bruce

Bruce Schneier

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
On Sat, 4 Sep 1999 00:15:13 -0700, "Roger Schlafly"
<nospam....@cruzio.com> wrote:

>Bruce Schneier wrote in message <37d07e29...@news.visi.com>...
>>I see two possibilities. One, that the backup key is just as
>>Microsoft says, a backup key. It's called "NSAKEY" for some dumb
>>reason, and that's that.
>
>Maybe. Perhaps someone from the NSA suggested using a
>backup key, and the MS programmers called it the NSA key.

Agreed.

>>Two, that it is actually an NSA key. If the NSA is going to use
>>Microsoft products for classified traffic, they're going to install
>>their own cryptography. They're not going to want to show it to
>>anyone, not even Microsoft. They are going to want to sign their own
>>modules. So the backup key could also be an NSA internal key, so that
>>they could install strong cryptography on Microsoft products for their
>>own internal use.
>
>I doubt it. I can understand NSA not wanting to show its crypto
>module to MS, but it wouldn't have to anyway. If the NSA wants
>a CAPI module signed, all it has to do is to give an MD5 hash
>to MS, and MS returns a signature. Quick, and revealing nothing.
>
>I think this second explanation only makes sense if it is part
>of some NSA scheme to plant bogus CAPI modules somewhere.
>Legitimate modules could be signed in the normal way.

I agree, I think. The NSA would not want Microsoft to see their
classified crypto modules, but they could always send Microsoft the
hash and say "sign this."

Roger Schlafly

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
pbboy wrote in message <37D0EA9D...@myspring.com>...

>NSA : "P-p-p-please sign this thingamajig, Mr. Gates. I'll do anything
>you want...I'll be your best friend...!"
>Gates: "HA! Lick my feet! Bow to me, the omnipotent Gates!"
>NSA: *Lick-lick-slobber-slobber* (wipes crusties from mouth, removes gum
>from forehead) (*sniffling*)"Now w-will you sign it?"
>Gates: "No! Do it again, just so you know who's boss!"

<chuckle>

>I don't think so.
>
>Maybe I overestimate the NSA's power, but why would the NSA _ask_ MS for
>anything?!? This is a game, people!

MS is not that powerful yet. MS had to get permission to export CAPI.
If the NSA put minor conditions on the export approval, then MS would
go along with them. Above all, MS wants to make money.


David Wagner

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
In article <37d12503...@news.visi.com>,

Bruce Schneier <schn...@counterpane.com> wrote:
> If I were going to Trojan a crypto API, I would weaken the random
> number generation process.

Yes, and it's trivial to do. Ian Goldberg and I tried the exercise for
Netscape Navigator several years ago, and it took an hour or two. It's
just a 4-byte change (NOP out the call to the procedure that initializes
the RNG with entropy, and you're done).

Lopping off the head of the RNG is much easier to do than inserting a
bogus CryptoAPI module, and is much harder to detect as well.

This _NSAKEY stuff in the newspapers is, IMHO, primarily hype and FUD.

David Wagner

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
In article <7qqgs3$oan$1...@nntp5.atl.mindspring.net>,
Roger Schlafly <nospam....@cruzio.com> wrote:
> Maybe. Perhaps someone from the NSA suggested using a
> backup key, and the MS programmers called it the NSA key.

That is indeed what the MS techies are claiming. It's hard to
verify with 100% certainty, but it's certainly not an implausible
explanation.

Roger Schlafly

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
David Wagner wrote in message
<7qrtjq$old$1...@blowfish.isaac.cs.berkeley.edu>...

Yes, it is plausible, but not terribly convincing either. Why did
MS need 2 keys? Is the concern that MS would lose one private
key? If so, why don't they make 2 copies, instead of using 2 keys?
Is the 2nd key really just a backup, or are there circumstances
in which only one of the keys is used?

I don't think MS is telling us the full story.


David Wagner

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to
In article <7qs5q0$1e...@enews4.newsguy.com>,

Roger Schlafly <schl...@cruzio.com> wrote:
> I don't think MS is telling us the full story.

They may not be, but regardless, it doesn't excuse claims that the
"_NSAKEY" lets the NSA spy on every Windows box around the world.
I haven't seen a single shred of evidence for claims like that.

(I realize you're not making those types of claims. I guess I'm just
disappointed with a lot of the reporting on this issue.)

If MS or the NSA have committed some sin here, so far it appears to
be at worst a minor one.

Roger Schlafly

unread,
Sep 4, 1999, 3:00:00 AM9/4/99
to

David Wagner wrote in message
<7qsihm$ot5$1...@blowfish.isaac.cs.berkeley.edu>...

You gotta admit that it is a tantalizing tidbit of info for the press.
It links two of the great boogeymen of the net -- MS and NSA.
People will believe any conspiracy about either of them, and
this story has both. It is like finding out that Vince Foster had an
affair with Janet Reno. <g>

Why is there a big uproar over the recent revelations about
pyrotechnics being used at Waco, when it is very unlikely that
those pyrotechnics had anything to do with the big fire?
It is because it is a smoking gun that shows that the govt
has been lying and covering up facts about Waco. We don't
like being lied to, and we wonder what they are still lying about.

Likewise, in the view of many, MS and NSA have too much
power, are too secretive, and are not leveling with us. The
"NSAKEY" is evidence of a link, and they are acting like kids
who got caught with their hands in the cookie jar. Until MS
documents CryptoAPI a little better, people are going to be
suspicious.

Gordon Burditt

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
>Microsoft has two keys, a primary and a spare. The Crypto-Gram
>article talked about attacks based on the fact that a crypto suite is
>considered signed if it is signed by EITHER key, and that there is no
>mechanism for transitioning from the primary key to the backup. It's
>stupid cryptography, but the sort of thing you'd expect out of
>Microsoft.
>
>Suddenly there's a flurry of press activity because someone notices
>that the second key is called "NSAKEY" in the code. Ah ha! The NSA
>can sign crypto suites. They can use this ability to drop a Trojaned
>crypto suite into your computers. Or so the conspiracy theory goes.

Convince me that the "NSAKEY" doesn't have at least one use
that has absolutely nothing with signed crypto modules.
How do we know that the session key for every message isn't
encrypted with the NSAKEY and included with every message - this
makes ALL traffic readable by NSA. This feature might be
remotely controllable so that extra encrypted session key isn't
so easily noticed, and they can only read traffic for which the
feature has been turned on. Another possibility is to encrypt
the session key and the encrypted message checksum with the NSA key,
then send it over the Internet (if possible) to the NSA.

I don't know a lot about the details of the Crypto API: is it
possible that code in the API itself could leak the session
key to the NSA *independent of the type of encryption implemented
by a module*?

Gordon L. Burditt

Bill Unruh

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to

>They may not be, but regardless, it doesn't excuse claims that the
>"_NSAKEY" lets the NSA spy on every Windows box around the world.
>I haven't seen a single shred of evidence for claims like that.

>(I realize you're not making those types of claims. I guess I'm just
>disappointed with a lot of the reporting on this issue.)

>If MS or the NSA have committed some sin here, so far it appears to
>be at worst a minor one.

I do not think you understand cryptography. The key point is that users
are being forced to trust someone else when using something whose
purpose is precisely to protect against betrayal of trust. It is the
duty of the provider to convince the user that they can be trusted. In
all other software, incompetence or maliciousness can usually be
detected in the running or the output. Crypto is precisely something
where you cannot see from the output whether or not the crypto is
working.

Ie, it is the company who must, beyond a reasonable doubt, prove itself
trustworthy if they are to sell crypto, without source code so that the
consumer can check for themselves. It is not the consumer who must prove
lack of trust beyond a reasonable doubt.

MS has committed a sin in not explaining beforehand exactly what their
crypto api did and how it worked. They have compounded it by their
idiotic defense of their actions, and their continued refusal to come
clean.

The whole point of crypto is trust, and they have destroyed that trust.


Dave Salovesh

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
In article <7qqgs3$oan$1...@nntp5.atl.mindspring.net>,
"Roger Schlafly" <nospam....@cruzio.com> opined:

>Maybe. Perhaps someone from the NSA suggested using a
>backup key, and the MS programmers called it the NSA key.

See <http://www.radium.ncsc.mil/tpep/process/faq-sect2.html#Q4>

"The NSA is prohibited by the Computer Security Act of 1987 from
attempting to directly address the needs of commercial systems."


SCOTT19U.ZIP_GUY

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to

But the whole point of the Mcirosoft is to make gates stay the richest
man in the world. What you said is very true. But I have faith in the power
of the "SPIN DOCTORS". Look what they have done for Clinton. Here we
have a man that disgraced the office of the president like no other man
on earth. Surely these masters will convince the public to continue worship
at the altar of microsoft. I for one would like to use LInux on my next
machine. Its free and open source. But the masses want to be lead and
they feel obligated to pay for the prviledge of being lead.

SCOTT19U.ZIP_GUY

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to

Does this have the same legal validity as the FBI that was ordered years
ago to comply with turning over of all Waco evidence. Or does it have
any more meaning than the President telling the truth in a court. Of
course not. Laws that affect the NSA are only for the calming of the
public they have nothing to do with the actions of the NSA. People
who think the government makes laws for the government to obey
are fools. The government does what the fuck it wants regardless of
the laws that get in its way. Sure every so often something token
happens so that the masses think the laws mean something but
all laws mean is that if you lack money you are subect to them.
Wake up. Look what the Clinton gang has done they sold our
weapons technology to the Chinese for campaign money and Reno
sits on her ass doing nothing to punish the gang running the white
house.
Know tell me again how this law is going to mean shit to the
NSA which considers itself above any law.

SCOTT19U.ZIP_GUY

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
In article <7qsu7i$1t...@enews4.newsguy.com>, "Roger Schlafly" <schl...@cruzio.com> wrote:
>
>David Wagner wrote in message
><7qsihm$ot5$1...@blowfish.isaac.cs.berkeley.edu>...
>>In article <7qs5q0$1e...@enews4.newsguy.com>,
>>Roger Schlafly <schl...@cruzio.com> wrote:
>>> I don't think MS is telling us the full story.
>>
>>They may not be, but regardless, it doesn't excuse claims that the
>>"_NSAKEY" lets the NSA spy on every Windows box around the world.
>>I haven't seen a single shred of evidence for claims like that.
>>
>>(I realize you're not making those types of claims. I guess I'm just
>>disappointed with a lot of the reporting on this issue.)
>>
>>If MS or the NSA have committed some sin here, so far it appears to
>>be at worst a minor one.
>
>You gotta admit that it is a tantalizing tidbit of info for the press.
>It links two of the great boogeymen of the net -- MS and NSA.
>People will believe any conspiracy about either of them, and
>this story has both. It is like finding out that Vince Foster had an
>affair with Janet Reno. <g>
>
>Why is there a big uproar over the recent revelations about
>pyrotechnics being used at Waco, when it is very unlikely that
>those pyrotechnics had anything to do with the big fire?
>It is because it is a smoking gun that shows that the govt
>has been lying and covering up facts about Waco. We don't
>like being lied to, and we wonder what they are still lying about.
>
Actually we are becomming like a banana repbulic ( no offenise
intended for those living in such places) people there expect there
governments to lie. I think the democrats created this whole
Clinton mess so that the public with the help of the liberal news
media would get the populace use to lying bastards in office
so that the breaking of laws and and trampling on our freedoms
will become the eccpted way of normal government processes.
I think the liberals with there lies have almost won. The public
really no longers cares about being lied to. I truely think Clinton
could rape in front of the TV cameras miss AMerica and then spin
it so it looked like he was doing her a favor and all the womans
groups would agree. OF cource congress would not have the balls
to lift a finger.

>Likewise, in the view of many, MS and NSA have too much
>power, are too secretive, and are not leveling with us. The
>"NSAKEY" is evidence of a link, and they are acting like kids
>who got caught with their hands in the cookie jar. Until MS
>documents CryptoAPI a little better, people are going to be
>suspicious.
>

Have some balls and don't tell the people to "WAIT FOR MS"
to fix or document something. That is a game microsoft has been
playing for years. THe time is right lets try to ge the masses to
move to OPEN SOURCE code like LINUX.

Anders Henriksson

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
pbboy <pb...@myspring.com> wrote:
>Maybe I overestimate the NSA's power, but why would the NSA _ask_ MS for
>anything?!?

Ever heard of the saying "Never ask for anything which you can't take"?
Why waste resources. If you're powerful enough people won't object.

>HEHE! Do you really think, IF the NSA were to use any MS products, they
>would actually pay for the licenses?

Yes. It wouldn't be worth the possible trouble if they didn't. If I were
them, I'd give M$ a huge wad of cash and say "We'd like an unlimited
number of licenses for all of your products." As money's no problem for
them, license fees are no worry, but the number of licenses are as it
can be used to determine computing power. If the cash pile is huge enough,
M$ porbably wouldn't mind...

/Anders
--
Right after Armageddon, using your temperature calibration instruments
may come in a little low on Maslow's hierarchy of needs. Food, shelter
and ISO 9000 compliance may come first...
-- Hart Scientific unofficial y2k page

Anders Henriksson

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
Roger Schlafly <schl...@cruzio.com> wrote:
>Yes, it is plausible, but not terribly convincing either. Why did
>MS need 2 keys? Is the concern that MS would lose one private
>key? If so, why don't they make 2 copies, instead of using 2 keys?
>Is the 2nd key really just a backup, or are there circumstances
>in which only one of the keys is used?

(Note: Pure speculations ahead...)

It could be a _very_ simplistic way to regulate the possibilities to
use encryption outside the US. Have one key for domestic (strong)
cryptos, and the other for export rated cryptos.[1] Creating an export
rated version would then include wiping the domestic key, rendering
illegaly exported domestic modules unloadable.

It wouldn't hold for very long as the key could be exported and
reinstalled too, but it might keep Average Joe out of the strong
cryptography business. (The persistant, skilled guys wouldn't
be stoppable anyway...)

/Anders
[1] Does anyone know if the "backup" key has been used for any module
out there?

Anders Henriksson

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
Gordon Burditt <gordon...@sneaky.lerctr.org> wrote:
>I don't know a lot about the details of the Crypto API: is it
>possible that code in the API itself could leak the session
>key to the NSA *independent of the type of encryption implemented
>by a module*?

If they have separated the PRNG from the crypto modules, they could
in theory do that, but I doubt they would. The problem here is
obtaining a covert channel to NSA computers in time. A separate connection
would be easily spotted, if not on the local machine then in routers
and firewalls.

You could of course piggyback the covert information onto the
cryptoblock being sent, but this might attract hacker attention
(unlabeled reserved blocks often do...) and/or break compatibility
with independent products.

It's much easier to weaken the key generation or PRNG.

/Anders

Bruce Schneier

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
On Sun, 05 Sep 1999 01:08:58 -0400, Dave Salovesh <dar...@erols.com>
wrote:

>In article <7qqgs3$oan$1...@nntp5.atl.mindspring.net>,
>"Roger Schlafly" <nospam....@cruzio.com> opined:
>
>>Maybe. Perhaps someone from the NSA suggested using a
>>backup key, and the MS programmers called it the NSA key.
>
>See <http://www.radium.ncsc.mil/tpep/process/faq-sect2.html#Q4>
>
>"The NSA is prohibited by the Computer Security Act of 1987 from
>attempting to directly address the needs of commercial systems."

Oh come now. They've ignored that prohibition so many times that they
probably have forgotten that it ever existed.

David Wagner

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
In article <7qsu7i$1t...@enews4.newsguy.com>,
Roger Schlafly <schl...@cruzio.com> wrote:
> Likewise, in the view of many, MS and NSA have too much
> power, are too secretive, and are not leveling with us.

Fine. You're saying the "_NSAKEY" is just a symptom of an underlying
problem (namely, that MS uses close source for security-critical projects).
Of course, this is a problem we've known about for a long time, and it's
hardly the first time we've seen a conspicuous symptom of the problem.

But regardless: If it's just a symptom, why are there huge headlines
reporting that, thanks to the "_NSAKEY", the NSA may be able to spy on
every Windows machine in the world? If it is indeed just yet another
symptom of the problem, then all those reports are misleading, deceptive,
and overblown.

David Wagner

unread,
Sep 5, 1999, 3:00:00 AM9/5/99
to
In article <7qssrm$hb8$1...@nntp.itservices.ubc.ca>,

Bill Unruh <un...@physics.ubc.ca> wrote:
> The key point is that users
> are being forced to trust someone else when using something whose
> purpose is precisely to protect against betrayal of trust.

That's always been true. The "_NSAKEY" key changes nothing in this regard.
So why is it front-page news? Answer: (largely) hype and FUD.

> I do not think you understand cryptography.

No, not nearly as well as I'd like to...

Douglas A. Gwyn

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
David Wagner wrote:
> But regardless: If it's just a symptom, why are there huge headlines
> reporting that, thanks to the "_NSAKEY", the NSA may be able to spy on
> every Windows machine in the world?

Heh, heh, I have an "NSA Hitachi" monitor on my desk...
Must have a hidden camera in it?

Red_Blue

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
David Wagner wrote:

> Roger Schlafly <schl...@cruzio.com> wrote:
> > I don't think MS is telling us the full story.
>
> They may not be, but regardless, it doesn't excuse claims that the
> "_NSAKEY" lets the NSA spy on every Windows box around the world.
> I haven't seen a single shred of evidence for claims like that.

Nor have I. Exploiting this would require NSA (or anyone having that
extra key) to replace the default CSP with a weakened one. There are
several dll files and registry keys involved. Even if that new module is
signed so that CrAPI will run it, the attack must be done so that it
produces no output to alert the user, or to disguise it for something
innocent. If you can get someone to run a trojan that replaces a CSP
module, then I guess you can use a trojan that does much worse things! Or
weakens the cryptosystems in some easier, yet harder to detect, ways.
Besides, if that would be easy, then anyone could do that, not only the
true holder of that second key, because that second key can be so easily
substituted.
So I don't think this NSA-key issue is a big threat after all. I think
the method enabling the use of stronger modules than original without
having them signed by MS is the really IMPORTANT issue here. Wasn't this
signed CSP system designed by MS just to get export permission for CrAPI
in the first place? Not that I support using CrAPI given it's other
weaknesses, such as private key export issues. Or any MS security
function given the reputation MS has in dealing with security issues.

Jere Hakanen


pbboy

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to

Anders Henriksson wrote:

> pbboy <pb...@myspring.com> wrote:
> >Maybe I overestimate the NSA's power, but why would the NSA _ask_ MS for
> >anything?!?
>
> Ever heard of the saying "Never ask for anything which you can't take"?
> Why waste resources. If you're powerful enough people won't object.
>

Putting an operator in the largest software company in the world is a waste of
resources....? Hmmm, think about that one.

>
> >HEHE! Do you really think, IF the NSA were to use any MS products, they
> >would actually pay for the licenses?
>
> Yes. It wouldn't be worth the possible trouble if they didn't. If I were
> them, I'd give M$ a huge wad of cash and say "We'd like an unlimited
> number of licenses for all of your products." As money's no problem for
> them, license fees are no worry, but the number of licenses are as it
> can be used to determine computing power. If the cash pile is huge enough,
> M$ porbably wouldn't mind...
>

I agree, IF the NSA actually used Windows...

pbboy


Geoff Thorpe

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
Hi there,

Bruce Schneier wrote:
[various speculations about the NSAKEY story]

As Peter Gutmann pointed out quite some time ago (see
http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms3.txt for some
background), CryptoAPI has such gaping holes in it that to call it swiss
cheese would be to bestow too much structural value to it. Cheese
requires a lot more heat (or time) to melt.

The CryptExportKey() API function, present in the base CSP providers (as
used by Outlook, IE, etc etc), will happily export private keys. It also
doesn't take a password. Perhaps one possible use of NSAKEY is that it
somehow simplifies the process of planting executable (executing would
be more accurate) code on the destination PC to call this function?

The fact this API call is there is scary, but one still needs code to
call it. If NSAKEY is as dark and sinister as some would like to
speculate, then it could possibly provide away to exploit this deformity
of CryptoAPI with minimal fuss and bother. Whether this key allows one
to do such things, or whether it's there purely to sign CSPs, I do not
know. I'd welcome anyone's thoughts (except David Scott) on this idea.

Cheers,
ME

SCOTT19U.ZIP_GUY

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to

I wasn't going to comment much on this thread since it is obvious to
most what I think the main purpose of the NSA is. However since you
went out of your way to request a reply and you seem to miss my writtings
I will reply. I feel the spin doctors will down play the whole thing and
people will continue to shell out money to Microsoft to get inferior bug
ridden software that they could get for free if they used LInux. Yes people
are stupid and the spin masters know it. I guess I should feel lucky to be in
the country that will benefit most form the rape of information from the
people in dumber countries. I guess I should be happy our companys will
continue to get the inside scoop on contract bids and such because if the
Europeans are to stupid to think for themselves maybe they are better off
under our control. We can contiue to buy there poilitcans with the money
we steal from them. So go ahead Europe make OUR day. Oh that goes
for New Zealand I just hope they leave enough cash there so they can
continue to make XENA.

Douglas A. Gwyn

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
"SCOTT19U.ZIP_GUY" wrote:
> people will continue to shell out money to Microsoft to get inferior
> bug ridden software that they could get for free if they used LInux.

That's pretty funny!
"Why go elsewhere to be cheated when you can come to us!"

Jim Nelson

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to

"SCOTT19U.ZIP_GUY" wrote:
> people will continue to shell out money to Microsoft to get inferior bug
> ridden software that they could get for free if they used LInux. Yes people
> are stupid

Scott: if your crypto doesn't pans out, perhaps you might consider being a
spokesman for RedHat or LinuxCare.

Jim Nelson

Thomas J. Boschloo

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
Roger Schlafly wrote:
>
> David Wagner wrote in message
> <7qrtjq$old$1...@blowfish.isaac.cs.berkeley.edu>...
> >In article <7qqgs3$oan$1...@nntp5.atl.mindspring.net>,

> >Roger Schlafly <nospam....@cruzio.com> wrote:
> >> Maybe. Perhaps someone from the NSA suggested using a
> >> backup key, and the MS programmers called it the NSA key.
> >
> >That is indeed what the MS techies are claiming. It's hard to
> >verify with 100% certainty, but it's certainly not an implausible
> >explanation.
>
> Yes, it is plausible, but not terribly convincing either. Why did
> MS need 2 keys? Is the concern that MS would lose one private
> key? If so, why don't they make 2 copies, instead of using 2 keys?
> Is the 2nd key really just a backup, or are there circumstances
> in which only one of the keys is used?
>
> I don't think MS is telling us the full story.

What MS is telling us, is that it is a backup key, put there to get NSA
approval <http://www.microsoft.com/security/bulletins/backdoor.asp>:

> *Why the backup key labeled "NSA key"?*
> This is simply an unfortunate name. The NSA performs the technical
> review for all US cryptogrphic export requests. The keys in question are
> the onces that allow us to ensure compliance with the NSA's technical
> review. Therefore, they came to known within Microsoft as "the NSA
> keys", and this name was included in the symbol information for one of
> the keys. However, Microsoft holds these keys and does not share them
> with anyone, including the NSA.

Microsoft's explanation "Why is a backup key needed?" is bogus (they
claim it would be needed for when the building in which it is kept is
destroyed by a natural disaster, LOL).

But this day I thought of the following explanation:

What if the designers of MS Windows put the second key there to be able
to upgrade to a new Windows OS, without the crypto mess they made of the
current one?

User of the old Windows versions could keep using the new crypto
routines that where signed with the second key (_NSAKEY), but their
security would suck because Microsoft made such a mess of the routines
signed with the first key (_KEY). The new Windows version however would
not have the first key (_KEY) coded into it, so the old, messy, crypto
routines wouldn't work in the new OS, making it more secure!

Am I making any sense?,
Thomas
--
AMD K7 Athlon 650 Mhz! <http://www.bigbrotherinside.com/#help>

PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl


Dave Salovesh

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
In article <37d4bfc1...@news.visi.com>,
schn...@counterpane.com (Bruce Schneier) opined:

>Oh come now. They've ignored that prohibition so many times that they
>probably have forgotten that it ever existed.

Of course. I only meant that due to this public stance MS can't give
any explanation which involves NSA assistance. But this isn't really
about the NSA. If they've done anything, it's only what they've been
tasked to, laws be damned. Note that the NSA has said absolutely
nothing about this entire situation.

I'll try to keep this away from politics and MS bashing, but it seems
inherently political and like a (another) MS foul up.

I'm amused at <http://www.microsoft.com/security/bulletins/backdoor.asp>
where MS seems to be offering two stories at once; it's a backup in case
Mt. Rainier blows the entire state of Washington off the map, and it's
called what it's called because its a key that allows them to ensure


compliance with the NSA's technical review.

In short, I say that means MS doesn't hold its important keys safely,
and that export control is entirely and improperly in the hands of MS.

In the details of the "backup" story, they say they want to be sure that
everything could function normally if the main secret key were
destroyed. I've considered that perhaps they would try to be strict and
keep only one copy of the main key, which would make it more vulnerable
to damage, but that can't be the case. There's more risk to having a
second valid key properly stored away from the main one than there would
be in having multiple copies of the main key.

And the symbol names just don't make sense - the name "NSAKEY" wouldn't
arise spontaneously for the second key. There must be some reason it
was called what it was called. That's why they give us the second
story:

The keys - either or both of them - are there so MS can ensure
compliance with technical review of export requests, which is done by
the NSA, and that's why MS refers to -one- of them as the NSA key.

If this is export control, it's broken.

Effective export control would mean (to me, anyway) that a vendor must
go to extra lengths to get exportable modules approved. For
installation in a domestic copy, only the vendor signature would be
needed. For installation in an exported copy, both the vendor signature
and an export approval signature would need to be present.

Even though that's how (I think) it should work, and even though that
would be an entirely reasonable explanation for why there's an export
control key called "NSAKEY", that's not what MS says is happening.

Since only MS holds these keys, they're saying there's nothing to
prevent them from signing any module they want to. NSA technical review
has nothing to do with this, at least through the stories MS is telling.


Trevor Jackson, III

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
Geoff Thorpe wrote:

> Hi there,
>
> Bruce Schneier wrote:
> [various speculations about the NSAKEY story]
>
> As Peter Gutmann pointed out quite some time ago (see
> http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms3.txt for some
> background), CryptoAPI has such gaping holes in it that to call it swiss
> cheese would be to bestow too much structural value to it. Cheese
> requires a lot more heat (or time) to melt.
>
> The CryptExportKey() API function, present in the base CSP providers (as
> used by Outlook, IE, etc etc), will happily export private keys. It also
> doesn't take a password. Perhaps one possible use of NSAKEY is that it
> somehow simplifies the process of planting executable (executing would
> be more accurate) code on the destination PC to call this function?
>
> The fact this API call is there is scary, but one still needs code to
> call it. If NSAKEY is as dark and sinister as some would like to
> speculate, then it could possibly provide away to exploit this deformity
> of CryptoAPI with minimal fuss and bother. Whether this key allows one
> to do such things, or whether it's there purely to sign CSPs, I do not
> know. I'd welcome anyone's thoughts (except David Scott) on this idea.

This is an interesting aspect of the situation. Given than an "extra" key
exists, whaty other functionality might it have? Any answer to that
question is going to be speculation at this point. However, we cannot rule
out the possibility that the NSAKEY has capabilities that the main
crypto-signing key does not.

What possible "other" uses could be made of the "extra" key that one would
not want to have managed by the main crypto key? It may be that there are
places where the capabilites of the secondary key exceed those of the main
key. This of course due to the fact that having the main key control the
extra capabilities would reveal those capabilites that should not be
revealed.


David Wagner

unread,
Sep 6, 1999, 3:00:00 AM9/6/99
to
In article <SiDUN=ypezL5fgf4B...@4ax.com>,

Dave Salovesh <dar...@erols.com> wrote:
> I'm amused at <http://www.microsoft.com/security/bulletins/backdoor.asp>
> where MS seems to be offering two stories at once; it's a backup in case
> Mt. Rainier blows the entire state of Washington off the map, and it's
> called what it's called because its a key that allows them to ensure
> compliance with the NSA's technical review.

The two aren't at all incompatible, and they seem to be just two different
parts of a single whole story.

Microsoft is apparently claiming that when they went for the export
review, the NSA suggested they include a backup key. This mystified MS,
but they went ahead and did it. As a result of the strange request, the
programmers internally call it "the NSA key", since the NSA asked for it.
Thus the "_NSAKEY" label on it in the code.

That's Microsoft's story, anyway. It's hard to verify for certain,
but it's not implausible...

Douglas A. Gwyn

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
"Trevor Jackson, III" wrote:
> This is an interesting aspect of the situation. Given than an "extra" key
> exists, whaty other functionality might it have? Any answer to that
> question is going to be speculation at this point. However, we cannot rule
> out the possibility that the NSAKEY has capabilities that the main
> crypto-signing key does not.

Sure we can. Just look at how it is used: it is used to authenticate
if and only if the main MS key fails to authenticate.

The only really interesting thing about this is that it appears that
somebody at MS decided to add the backup key for a particular purpose
(to allow export-control evaluation without having to hand over MS's
private key), but didn't first perform a thorough analysis of the
modified protocol. As I noted in an earlier posting, whoever has
possession of the private portion of the backup key can arrange for
crypto modules that he provides to appear to be "certified" even
though MS's certification authority is not in the loop. I suspect
that was not realized by the person(s) who decided to include the
backup key, or else they realized this but decided the risks were
less than if Commerce/NSA/whoever were to be given the MS private
key. They really should have let everybody know about this from
the outset.

Paul Crowley

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
d...@blowfish.isaac.cs.berkeley.edu (David Wagner) writes:
> Microsoft is apparently claiming that when they went for the export
> review, the NSA suggested they include a backup key. This mystified MS,
> but they went ahead and did it. As a result of the strange request, the
> programmers internally call it "the NSA key", since the NSA asked for it.
> Thus the "_NSAKEY" label on it in the code.
>
> That's Microsoft's story, anyway. It's hard to verify for certain,
> but it's not implausible...

Except for one problem: as far as anyone can see, the idea of a backup
key is stupid and pointless. I can't see *any* goal that it meets
that isn't met by having two copies of the primary key. Both
possibilities have essentially the same consequences in the case of

* loss of one key
* loss of both keys
* compromise of one key
* compromise of both keys

and so the only difference seems to be some extra bloat in every
Windows installation.

If they want to protect the key, why don't they use secret sharing?
Or require threshold certificates (eg 3 out of 5) to verify modules?
Can anyone see a legitimate purpose of this measure?
--
__
\/ o\ pa...@hedonism.demon.co.uk Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\

Douglas A. Gwyn

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
Paul Crowley wrote:
> Except for one problem: as far as anyone can see, the idea of a backup
> key is stupid and pointless. I can't see *any* goal that it meets
> that isn't met by having two copies of the primary key.

Then you haven't been paying attention. The backup key allows MS
to get the product certified for export without having to hand over
their private key.

Ed Kubaitis

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
Paul Crowley wrote:
>
> d...@blowfish.isaac.cs.berkeley.edu (David Wagner) writes:
> > Microsoft is apparently claiming that when they went for the export
> > review, the NSA suggested they include a backup key. This mystified MS,
> > but they went ahead and did it. As a result of the strange request, the
> > programmers internally call it "the NSA key", since the NSA asked for it.
> > Thus the "_NSAKEY" label on it in the code.
> >
> > That's Microsoft's story, anyway. It's hard to verify for certain,
> > but it's not implausible...
>
> Except for one problem: as far as anyone can see, the idea of a backup
> key is stupid and pointless. I can't see *any* goal that it meets
> that isn't met by having two copies of the primary key. Both
> possibilities have essentially the same consequences in the case of
>
> * loss of one key
> * loss of both keys
> * compromise of one key
> * compromise of both keys
>
> and so the only difference seems to be some extra bloat in every
> Windows installation.
>
> If they want to protect the key, why don't they use secret sharing?
> Or require threshold certificates (eg 3 out of 5) to verify modules?
> Can anyone see a legitimate purpose of this measure?
> ...

Well, I guess it would make sense if the private keys went from cradle
to grave inside of "FIPS 140-1 level 4" tamper-responding hardware,
such as the IBM 4758 (http://www.ibm.com/security/cryptocards/)

Then, the second key (presumably located far away) could be used as
a backup if a disaster of some sort caused the primary key store to
"zeroize" itself.

But one would think Microsoft would have mentioned that in their
press release if it were true.

--------------------------
Ed Kubaitis (e...@uiuc.edu)
CCSO - University of Illinois - Urbana-Champaign

DJohn37050

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
Here is an obvious reason to have 2 keys, to not put all one's eggs in one
basket, just as they said: If the first key is broken, then the second key can
become the new primary key and a new key installed and the broken one taken
away. After all, what if the first key was broken by someone just guessing a
prime factor? I agree not likely, but what if? Just quit and go home, NO.
Don Johnson

spam...@nil.nil

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
Douglas A. Gwyn <gw...@arl.mil> wrote:

> Paul Crowley wrote:
>> Except for one problem: as far as anyone can see, the idea of a backup
>> key is stupid and pointless. I can't see *any* goal that it meets
>> that isn't met by having two copies of the primary key.

> Then you haven't been paying attention. The backup key allows MS


> to get the product certified for export without having to hand over
> their private key.

Does this imply that they did (or may in the future) have to turn over
this secondary private key?

How could a key not known by the government be used for "certification?"

Is the option to give the government access to the OS at the level of
certifying components (which MS may have achieved by providing a secondary
key and thus not have to turn over their primary key) what was necessary
for "certification?"

spam...@nil.nil

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
DJohn37050 <djohn...@aol.com> wrote:
> Here is an obvious reason to have 2 keys, to not put all one's eggs in one
> basket, just as they said: If the first key is broken, then the second key can
> become the new primary key and a new key installed and the broken one taken
> away. After all, what if the first key was broken by someone just guessing a

If the first key is broken, why not use a backup of the first key?

If the first key is revocable or broken the OS will fail unless components
are always certified by both keys.

Are components now certified by both keys?

Giving an attacker two keys, cracking either of which provides
certification authority, does not seem to increase security.

Trevor Jackson, III

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
Douglas A. Gwyn wrote:

> "Trevor Jackson, III" wrote:
> > This is an interesting aspect of the situation. Given than an "extra" key
> > exists, whaty other functionality might it have? Any answer to that
> > question is going to be speculation at this point. However, we cannot rule
> > out the possibility that the NSAKEY has capabilities that the main
> > crypto-signing key does not.
>
> Sure we can. Just look at how it is used: it is used to authenticate
> if and only if the main MS key fails to authenticate.

That is one use. Are you claiming that there is proof that there are no other
uses of it?

Dave Salovesh

unread,
Sep 7, 1999, 3:00:00 AM9/7/99
to
In article <37D51E49...@arl.mil>,
"Douglas A. Gwyn" <gw...@arl.mil> opined:

>Then you haven't been paying attention. The backup key allows MS

>to get the product certified for export without having to hand over
>their private key.

A backup is only a backup if you don't use it for anything else.

I think what you're getting at is that export approved CSPs would carry
both an MS signature and a signature from the reviewer. If the backup
key is used to check for export approval:

1) It's not a backup.

2) MS could say so (the existence of such a key wouldn't be a secret, it
would be national security policy).

3) MS wouldn't be the sole holder of the keys, as they've claimed.


jsa...@ecn.ab.ca

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
Thomas J. Boschloo (nos...@multiweb.nl) wrote:
: Microsoft's explanation "Why is a backup key needed?" is bogus (they

: claim it would be needed for when the building in which it is kept is
: destroyed by a natural disaster, LOL).

Well, while keeping two copies of the key would solve that, two copies of
the same secret key won't help if one key is _compromised_. For that, a
second key, to which the corresponding secret key is stored _elsewhere_,
would serve a useful backup function.

John Savard

Geoff Thorpe

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
"SCOTT19U.ZIP_GUY" wrote:
> I wasn't going to comment much on this thread since it is obvious to
> most what I think the main purpose of the NSA is. However since you
> went out of your way to request a reply and you seem to miss my writtings
> I will reply. I feel the spin doctors will down play the whole thing and
> people will continue to shell out money to Microsoft to get inferior bug
> ridden software that they could get for free if they used LInux. Yes people
> are stupid and the spin masters know it. I guess I should feel lucky to be in
> the country that will benefit most form the rape of information from the
> people in dumber countries. I guess I should be happy our companys will
> continue to get the inside scoop on contract bids and such because if the
> Europeans are to stupid to think for themselves maybe they are better off
> under our control. We can contiue to buy there poilitcans with the money
> we steal from them. So go ahead Europe make OUR day. Oh that goes
> for New Zealand I just hope they leave enough cash there so they can
> continue to make XENA.

[perhaps the gene pool could use some chlorine] ... David, I write
crypto outside the US and the US export regulations make my job less
competitive than it would be without the regulations. I don't know
whether to feel sorry for the US or laugh, I guess it depends on who
we're talking about. On the one hand US foriegn policy rightly invites
ridicule and (at times) indignation, but on the other hand those
responsible for such foreign policy and export regulation are largely
the same, and are very distinct from the people who are hurt by all this
- for them I have to feel profoundly sad. If you regard us all as
"dumber countries" then I suggest you observe carefully who is allowed
to export crypto product to who. Also, take a look at the post-graduate
departments (especially maths, comp sci and other such sciences) in the
US - they've got the money and facilities, but often have 50% or more
international students (complete with scholarships) because not enough
US kids want to educate themselves. Compare it on levels of education,
culture, language, worldliness - doesn't really matter ... you might
find that the US isn't as all-powerful as you might imagine. But why am
I addressing that point? - those in the US who do know the difference
would never try to make a point like those you just tried to put
forward.

On top of that, I use Linux myself and work with a whole raft of
platforms - the list of which has Microsoft operating systems very near
the bottom.

So you'd probably expect me to agree with your points perhaps? David, I
think you're a paranoid and what you say is so littered with mindless
verbiage that when you manage to squeeze out one or two salient points
they become completely lost in the massive noise you otherwise flood
this list with.

FYI: The main reason they make Xena (and Hercules, and upcoming movies
like King Kong and Lord of the Rings, etc) in NZ is simply because it's
cheaper to fly out there, hire competant people and make the program for
a fraction of the cost they would have if they stayed at home within the
confines of the sterile unionised facile monolith that is the US
entertainment industry. Much like your posting, the US entertainment
industry occasionally offers up something not entirely mindless, but it
is usually buried so deeply within the sheer volume of muck that it is
hardly worth the effort sifting for.

Regards (of a sort),
Geoff

Paul Crowley

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
"Douglas A. Gwyn" <gw...@arl.mil> writes:

> Paul Crowley wrote:
> > Except for one problem: as far as anyone can see, the idea of a backup
> > key is stupid and pointless. I can't see *any* goal that it meets
> > that isn't met by having two copies of the primary key.
>

> Then you haven't been paying attention.

Please don't do this; no good end is served by it. In point of fact,
I have been paying close attention.

> The backup key allows MS to get the product certified for export
> without having to hand over their private key.

If what MS claim is true (the scenario I was discussing) then they are
the only holders of both private keys, so I don't see why the export
certifiers would prefer this situation. Perhaps you could clarify?

Paul Crowley

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
jsa...@ecn.ab.ca () writes:
> Well, while keeping two copies of the key would solve that, two copies of
> the same secret key won't help if one key is _compromised_. For that, a
> second key, to which the corresponding secret key is stored _elsewhere_,
> would serve a useful backup function.

I've asked this in another thread, but I really don't see how. If a
key is compromised, MS will have to encourage everyone to stop
trusting that key. In particular, they'll have to distribute a
CryptoAPI module "revoking" that key; in other words a module signed
with the compromised key that removes that key from CryptoAPI and
(most likely) replaces it with a new, trusted one. Modules everywhere
signed with the old key will need a new signature from another key
that is trusted; the new key will be great for this job.

In either scenario, systems that *don't* replace the key are in the
same boat: they'll accept modules signed with the compromised key,
including old modules.

In either scenario, systems that *do* replace the key are in the same
boat: they'll have to fetch new, re-signed versions of all their old
CryptoAPI modules, but they'll be safe against the compromise.
They'll no longer install the revocation certificate, but that's OK,
they don't need to.

I still can't see what's gained.

If they really wanted security against key destruction and compromise,
they would have used threshold certificates: distribute three public
keys with every Windows, and require CryptoAPI modules to be signed by
two of them.

Jim Russell

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
BillU> I do not think you understand cryptography.

DavidW> No, not nearly as well as I'd like to...

Bill, you should note that David is being unduely modest here. Perhaps
you should drop by counterpane.com, and find out who the creators of the
Twofish algorithm are.

Jim Russell
LockStar, Inc.

SCOTT19U.ZIP_GUY

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
Wake up it was satire and humor. OF course I don't really think other
countries are dumber ( unless they keep letting the US rob them blind)
I have meet people who have left the US for New Zealand some like it.
Some say it is to socailistic. I like the weather and at one time thought
of moving there my self. I know one person who went ther for several
years and came back ( I wish he would have stayed).
I have not really looked at moving there for several years and most
likely am no longer elligable since at my age I think you need more
cash or connections to get in. As I rember though they seemed to
but a high premium on shin color to and I have some dark friends who
hate the place.

Trevor Jackson, III

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to

Geoff Thorpe wrote:

> [perhaps the gene pool could use some chlorine] ... David, I write
> crypto outside the US and the US export regulations make my job less
> competitive than it would be without the regulations. I don't know
> whether to feel sorry for the US or laugh,

Both of course.

> I guess it depends on who
> we're talking about. On the one hand US foriegn policy rightly invites
> ridicule and (at times) indignation, but on the other hand those
> responsible for such foreign policy and export regulation are largely
> the same, and are very distinct from the people who are hurt by all this
> - for them I have to feel profoundly sad. If you regard us all as
> "dumber countries" then I suggest you observe carefully who is allowed
> to export crypto product to who. Also, take a look at the post-graduate

These are the typical symptoms of a climax culture.


Trevor Jackson, III

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
jsa...@ecn.ab.ca wrote:

> Thomas J. Boschloo (nos...@multiweb.nl) wrote:
> : Microsoft's explanation "Why is a backup key needed?" is bogus (they
> : claim it would be needed for when the building in which it is kept is
> : destroyed by a natural disaster, LOL).
>

> Well, while keeping two copies of the key would solve that, two copies of
> the same secret key won't help if one key is _compromised_. For that, a
> second key, to which the corresponding secret key is stored _elsewhere_,
> would serve a useful backup function.

This only makes sense if there is a revocation mechanism for the primary
key. Do you see such a mechanism?


SCOTT19U.ZIP_GUY

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to

But Jim how do we know that actaul creators of 2fish are in Minnisota. What
about the possible input due to people in the Fort Mead area.

Patrick Juola

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to
In article <7r615f$2hu4$2...@news.gate.net>,

SCOTT19U.ZIP_GUY <dsc...@networkusa.net> wrote:
>In article <37D6752A...@lockstar.com>, Jim Russell <jrus...@lockstar.com> wrote:
>>BillU> I do not think you understand cryptography.
>>
>>DavidW> No, not nearly as well as I'd like to...
>>
>>Bill, you should note that David is being unduely modest here. Perhaps
>>you should drop by counterpane.com, and find out who the creators of the
>>Twofish algorithm are.
>>
>>Jim Russell
>>LockStar, Inc.
>
> But Jim how do we know that actaul creators of 2fish are in Minnisota.

They aren't. At least one of them is (was) a student of mine in
Colorado.

Which says absolutely nothing about whether Mr. Wagner (should it be
Dr. Wagner?) "understand[s] cryptography." His being part of the
Twofish team suggests that if he doesn't understand cryptography, he
must make a *hell* of a good cup of coffee. 8-)

-kitten

Thomas J. Boschloo

unread,
Sep 8, 1999, 3:00:00 AM9/8/99
to

MS could issue a patch when the first key was compromised.. They do that
all the time ;-)

John Savard

unread,
Sep 8, 1999, 3:00:00 AM9/8/99