Windows NSAKEY Controversy Facts Duncan Campbell's 4/99 article Various Debunkings and denials Fall 1999 --------------------------------- _NSAKEY has been renamed to _KEY2 --------------------------------- http://www.factspider.com/ns/nsakey.html NSAKEY _NSAKEY is a variable name discovered in Microsoft Windows NT 4 Service Pack 5 (which had been released unstripped of its symbolic debugging data) in August 1999 by Andrew D. Fernandes of Cryptonym Corporation[?]. That variable contained a 1024-bit public key. Microsoft's operating systems require all cryptography suites that can go into its operating systems to have a digital signature. When only Microsoft-approved cryptography suites can be used, complying with the Export Administration Regulations[?] (EAR) of the US Department of Commerce, Bureau of Export Administration[?] (BXA) is easier. It was already known that Microsoft uses two keys, a primary and a spare, either of which can create valid signatures. The primary key is stored in the variable _KEY; Fernandes had discovered the second key. Fernandes published his discovery, touching off a flurry of speculation and development of numerous conspiracy theories. If the private half of that key were actually owned by the United States National Security Agency, it would allow that intelligence agency to subvert any Windows users' security. Microsoft, however, denied all such suggestions. "This report is inaccurate and unfounded. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party." The key's symbol was "_NSAKEY" because the NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws. However, some of Microsoft's actions during the discussion aggravated public paranoia rather than reduced it. The Computers, Freedom and Privacy 2000 (CFP2000) conference was held from 4-7 April 2000 in Toronto, Canada. During a presentation to that conference, Duncan Campbell, Senior Research Fellow at the Electronic Privacy Information Center (EPIC), mentioned the _NSAKEY controversy as an example of an outstanding issue related to security and surveillance. Richard Purcell, Microsoft’s Director of Corporate Privacy, approached Campbell after his presentation and expressed a wish to clear up the confusion and doubts about _NSAKEY. Immediately after the conference, Scott Culp, of the Microsoft Security Response Center, contacted Campbell and offered to answer his questions. Their correspondance began codially but soon became strained; Campbell apparently felt Culp was being evasive and Culp apparently felt that Campbell was hostilely repeating questions that he had already answered. On 28 April 2000, Culp stated that "we have definitely reached the end of this discussion ... [which] is rapidly spiraling into the realm of conspiracy theory" and Campbell's further enquiries went unanswered. After a great deal of discussion featuring wildly varying levels of cryptographic expertise, various conclusions have been presented. To begin with, some observers, including Fernandes, doubt the BXA's EAR have specific requirements for backup keys. However, none of the commentators claim the legal expertise necessary to authoritatively discuss that document. Microsoft insists that the second key is present as a backup to guard against the possibility of losing the primary secret key. Fernandes and Bruce Schneier both doubt this explanation, pointing out that the generally accepted way to guard against loss of a secret key is secret splitting[?], which would divide the key into several different parts, which would then be distributed throughout senior management. Such a plan would be far more robust than using simply using two keys; if the second key is also lost, Microsoft would need to patch or upgrade every copy of Windows in the world, as well as every cryptographic module it has ever signed. Another line of speculation concludes that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BXA's EAR. If cryptographic modules were to be signed in multiple locations, using multiple keys is a reasonable approach. However, no cryptographic module has ever been found to be signed by _NSAKEY and Microsoft denies that any other certification authority exists. A third possibility is that the _NSAKEY enables the NSA or other agencies to sign their own cryptographic modules without being required to disclose those modules to Microsoft, which would allow them to create modules in-house that implement classified algorithms. Of course this capability would also enable an agency to sign modules that could be used to undermine the security of any Windows installation. Such speculation is usually followed by cynical comments on such undermining not being difficult even without access to the cryptographic API. Microsoft denies that the NSA has access to the _NSAKEY secret key. The key is still present in all version of Windows, though it has been renamed "_KEY2." --------------------------------- http://www.merit.edu/mail.archives/netsec/1999-09/msg00021.html 4 September 1999 Questions Linger Over Possibility of Microsoft Backdoor. Microsoft has denied that a second encryption key, named NSAKEY, in Windows' security is designed to allow the National Security Agency backdoor access. Privacy advocates say parts of Microsoft's explanation just don't make sense. http://www.wired.com/news/print_version/technology/story/21589.html?wnpg=all http://www.zdnet.com/zdnn/stories/news/0,4586,2328464,00.html A press Release from Cryptonym regarding NSAKEY: http://www.cryptonym.com/hottopics/msft-nsa.html --------------------------------- MS Denies Windows 'Spy Key' Steve Kettmann and James Glave Story location: http://www.wired.com/news/technology/0,1282,21577,00.html 10:20 AM Sep. 03, 1999 PT Microsoft is vehemently denying allegations by a leading cryptographer that its Windows platform contains a backdoor designed to give a US intelligence agency access to personal computers. Andrew Fernandes, chief scientist for security software company Cryptonym in Mississauga, Ontario, claimed on his Web site Friday that the National Security Agency may have access to the core security of most major Windows operating systems. [website note: http://www.cryptonym.com/ has been simplified to "Yes, this is the website of Cryptonym Corporation (of the "NSA Key" fame). I hope to, sometime in the near future, put a brief explanation the whole story online, so stay tuned..." "By adding the NSA's key, they have made it easier -- not easy, but easier -- for the NSA to install security components on your computer without your authorization or approval," Fernandes said. But Microsoft denied that the NSA has anything to do with the key. "The key is a Microsoft key -- it is not shared with any party including the NSA," said Windows NT security product manager Scott Culp. "We don't leave backdoors in any products." Culp said the key was added to signify that it had passed NSA encryption standards. Fernandes also simultaneously released a program on his site that will disable the key. The key exists in all recent versions of the Windows operating systems, including Windows 95, 98, 2000, and NT. The issue centers around two keys that ship with all copies of Windows. The keys grant an outside party the access it needs to install security components without user authorization. The first key is used by Microsoft to sign its own security service modules. Until late Thursday, the identity and holder of the second key had remained a mystery. In previous versions of Windows, Fernandes said Microsoft had disguised the holder of the second key by removing identifying symbols. But while reverse-engineering Windows NT Service Pack 5, Fernandes discovered that Microsoft left the identifying information intact. Fernandes and many other security experts take that to stand for the National Security Agency -- the nation's most powerful intelligence agency. The NSA did not immediately respond to a request for comment via fax, the only way the agency communicates with inquiries from the media. The agency also operates Echelon, a global eavesdropping network that is reportedly able to intercept just about any form of electronic communications anywhere in the world. The agency is forbidden by law from eavesdropping on American citizens. Marc Briceno, director of the Smartcard Developer Association, said the inclusion of the key could represent a serious threat to e-commerce. "The Windows operating-system-security compromise installed by Microsoft on behalf of the NSA in every copy of Windows 95, 98, and NT represents a serious financial risk to any company using MS Windows in e-commerce applications," Briceno wrote in an email. "With the discovery of an NSA backdoor in every copy of the Windows operating systems sold worldwide, both US and especially non-US users of Microsoft Windows must assume that the confidentiality of their business communications has been compromised by the US spy agency," Briceno said. In making the discovery, Fernandes said he did not know why the key was there. "It could be for espionage. It may not be," he said. "It does not totally compromise Windows, it only weakens it.... The only real reason I can see is for them to be able to install their own security providers." But Microsoft's Culp said all cyrptographic software intended for export must be submitted to a National Security Agency review process. He said that the key was so named to indicate that it had completed that process and that it complied with export regulations. "It does not allow anyone to start things, stop services, or allow anything [to be executed] remotely," he said. "It is used to ensure that we and our cryptographic partners comply with United States crypto export regulations. We are the only ones who have access to it." Fernandes made the discovery in early August, he said, but collaborated with the Berlin-based Chaos Computer Club and other experienced hackers worldwide before releasing the information. "We coordinated this through the worldwide hacker scene," said Andy Muller-Maguhn of the CCC. "It was important to American hackers that it not only be mentioned in America but also in Europe. "For American citizens it seems to be normal that the NSA is in their software. But for countries outside of the United States, it is not. We don't want to have the NSA in our software." Coming less than a week after Microsoft was rocked by the embarrassing news that its Hotmail system could be easily penetrated, the latest disclosure could prove damaging to the software giant. "Say I am at a large bank, and I have the entirety of our operation working on Windows," Fernandes said. "That is a little more serious. The only people who could get in there are the NSA, but that might be bad enough. "They have to first manage to download a file into your machine. There may be backdoors that allow them to do that.... I would be shocked and surprised if the NSA bothered with individuals. What is more of a concern is security systems for a large bank or another data center. Or even a Web server firm. "The result is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system. "The US government is currently making it as difficult as possible for 'strong' crypto to be used outside of the US; that they have also installed a cryptographic backdoor in the world's most abundant operating system should send a strong message to foreign IT managers," he said. But Fernandes did not want to set off a panic -- or at least not for everyone. "I personally don't care if the NSA can get into my machine, because I think they have better ways of spying on me as a person," Fernandes said. "But if I was a CEO of a large bank, that would be a different story." Before Microsoft's explanation, many leading cryptographers said they were convinced it was a key for the NSA. "I believe it is an NSA key," said Austin Hill, president of anonymous Internet service company Zero-Knowledge Systems. "We walked though it and talked about all the scenarios why it is there, and this was our conclusion," said Hill. He said that he and Zero-Knowledge's chief scientist, Ian Goldberg, did not believe the key's name is a joke placed there by a Microsoft programmer -- one possible explanation. "Microsoft has not shown incredible competence in the area of security," Hill added. "We call on Microsoft to learn about open security models that provide independent verification of design. No secure system is based on security by obscurity." http://wired-vig.wired.com/news/print/0,1294,21577,00.html -------------------------------- Debunker 1 http://www.schneier.com/crypto-gram-9909.html Crypto-Gram Newsletter September 15, 1999 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com Back issues are available at http://www.schneier.com. To subscribe NSA Key in Microsoft Crypto API? A few months ago, I talked about Microsoft's system for digitally signing cryptography suites that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.schneier.com/... Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html [dead link as of 2000-02-18] Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?... Useful news article: http://www.wired.com/news/technology/... -------------------------------------------------------------------------------- Counterpane -- Featured Research "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)" Bruce Schneier and Mudge, CQRE, Duesseldorf, Oct 1999, to appear. The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP link. In response to [SM98], Microsoft released extensions to the PPTP authentication mechanism (MS-CHAP), called MS-CHAPv2. We present an overview of the changes in the authentication and encryption-key generation portions of MS-CHAPv2, and assess the improvements and remaining weaknesses in Microsoft's PPTP implementation. While fixing some of the more egregious errors in MS-CHAPv1, the new protocol still suffers from some of the same weaknesses. http://www.schneier.com/paper-pptpv2.html --------------------------------- How NSA access was built into Windows by Duncan Campbell 04.09.1999 Careless mistake reveals subversion of Windows by NSA A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled. The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA. Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:Windowssystem directory of your computer. ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run crypographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do. Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery... A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY". Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. A third key?! But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code. Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors". According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers". "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked. Can the loophole be turned round against the snoopers? Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said. Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website. /deadlink/ According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY." Links contained in article: [1] http://www.heise.de/tp/english/inhalt/te/2898/1.html [2] http://www.microsoft.com/ntserver/nts/downloads/recommended/sp5/allsp5.asp [3] http://www.cryptonym.com/hottopics/msft-nsa/ReplaceNsaKey.zip [4] Telepolis Artikel-URL: http://www.telepolis.de/english/inhalt/te/5263/1.html Other Refs to this article: http://www.heise.de/tp/r4/artikel/5/5263/1.html http://www.totse.com/en/politics/national_security_agency/hownsaaccesswa168922.html http://www.chuckherrin.com/MSandNSA.html