NSA backdoor creates security hole in Windows

A number of people have written in with the news that Cryptonym has found an apparent backdoor for the NSA (called NSAKEY) in all current versions of Windows. However, you can open this backdoor yourself and install your own strong cryto module in place of the built-in one. More details are also online, but to be quite frank, we aren't quite sure on this one-so, if you're more qualified comment, please do so below.Update: 09/03 11:19 by H :Thanks to Jens Hillman for more information from the German Chaos Computer Club. Der Webpage ist auf Deutsch-Babelfish it.

Some NSA backdoors are explicit

First, this is being presented at Crypto '99, not Def Con Two. It's peer reveiewed, guys, it's pretty much bound to be legit.

Second, every copy of Lotus Notes carries an explicit NSA backdoor, called the "Cryptographic Differential Work Factor". Essentially the point is that part of every secret key is encrypted with the NSA's public key, so where we would have to brute-force 128 bits to get in, they have to brute force only 40. So there's precedent; it's not as implausible as some people here seem to think. It may not be a back door in the simplistic way some people are thinking of, though.

The algorithm the guy used to find the key is documented in Adi Shamir and Nicko van Somoeren's paper "Playing Hide and Seek with Stored Keys" - you can find a link to the paper here [demon.co.uk] alongside my implementation of the technique described.
--

Microsoft admitted working with NSA!

This CNN Story [cnn.com] last year talked about the pressure tactics the NSA uses.

In the article, Ira Rubenstein, Microsoft attorney and top lieutenant to Bill Gates, says:
"Any time that you're developing a new product, you will be working closely with the NSA," he noted.

Well, this is another argument for getting source.

I really don't care about the licence, as long as I get the source. I would preferr GPL, but I want the source. I didn't used to feel that way, but as time has gone on I have changed my mind. The issue is less that the NSA is spying -- we need spies -- but that the whole national security apparatus of the US has ceased to be effective. CIA agents abroad have to meet quotas for recruiting foreign nationals. Not USEFUL foreign nationals, just somebody. They don't meet the quotas, they don't get good reviews. I have had friends who have worked for the NSA, and outside of a few areas, most of these people are carreer beaurocrats making their numbers. Like bosses who make up for management skill by saying that they will fire anyone 5 minutes late, the NSA is making up for the fact that most of the good spies left during the Bush Administration by compromising everyone, so that they can do their work without having to try hard. It doesn't have to be USEFUL work, just something to meet their quotas. The real issue here (well one issue, the other being the utility of having the source) is that we have let the goverment decay to the point where it is a danger to us.

Verification? was Re:the begining

This is interesting, but how do you prove it? I mean, all they've got is the fact that NSAKEY showed up as a debugging symbol. Sure NSA happens to be the acronym of a particularly annoying secret government agency, but...

At least, it DOES appear that there is more than one key available in the crypto packages. Whose keys? This should be the rallying call, and since we don't have the code, we can't tell.

This is a VERY good reason to be suspicious of Microsoft products.

How many people actually USE the cryptoAPI? It seems to me that unless you're using this stuff, all of this has no effect.

Andrew
----

I'm personally certain it's legit.

(1) The paper's being presented at a rump session, so it won't appear in the list of accepted papers. It won't have gone through the same rigourous review as an accepted paper, but hell, they wouldn't let the crypto loonies of this world (David A Scott aka SCOTT16U.ZIP_GUY) present such a session.

(2) the _NSAKEY certainly refers to *a* public key. It's a stretch of unusually high entropy data, which nearly always means cryptographic data: even compressed stuff doesn't look like that. Furthermore, it's being fed to BSafe's public key routines: look at the CCC's debugger output.

(3) Micros~1 wouldn't fuck around with that sort of thing. I don't think anyone's going to label a public key "NSAKEY" as a joke.

(3) But the NSA are very likely indeed to put pressure on them to introduce this sort of "feature" - it's quite a common occurence for a guy with a sharp suit to turn up at the offices of commercial crypto implementors and discuss, let's say, how best to speed the export process. In the case of Lotus Notes, they did it entirely above ground, although the Swedish Government didn't read the small print when they banked their information system on Notes and they were quite annoyed to discover that the NSA had a way in.

Put aside your speculation: this is the real thing. The NSA hold the private key that allows their software to do pretty much whatever they want to the CryptoAPI system, if you'll consent to run any code they've had their hands near. And we all know how tricky that is.

Personally, I'm ecstatic: the unearthing of this information is a huge boon both to the Open Source and crypto-security communities.
--

But it's NOT a backdoor!

Even if this is the NSA's key, so what? All it means is that they're hypocrites with regard to US security laws. The key only lets you install new security services inside Microsoft's crypto framework. That's it. It doesn't give you access to any information encrypted by other providers. The only reaon there's a lock on this install capability is to allow Microsoft to meet US export standards on encryption (they can't make it too easy to add strong crypto). If this really is an NSA key, then the NSA just wanted it to be easy for them to install strong crypto.

In other words, so what? This doesn't let the NSA, Microsoft, or anyone else snoop on my encrypted data. And I already knew the government had a rediculous security policy. BFD.

Comedy of errors

You know, at first I was outraged and shocked at this article. But now I can't help but smirk.

No one figured out that backdoor until Microsoft forgot to remove the explicit name NSA_Key in NT 4 SP 5? What kind of joke is this? Or is it a programmer at Microsoft that's covertly working for the Open Source movement? :)

I also find it pretty pathetic that the NSA would need to contact Microsoft and implement a backdoor to access NT. I sure know most crackers I know don't need a friggin' insider at MS to crack NT until it weeps.

So I see three possibilities about this:

It's a hoax of some sort, or a private joke by the NT programmers. It sure is working.

It's a decoy. The NSA has a backdoor somewhere else, much less obvious, and this is meant to make us believe the NSA backdoor has been found. I mean, the alleged backdoor in DES is much more complex and subtle than multiplying my a fixed key when encrypting.

It's true, and the NSA are truly pathetic, and their cryptanalysis talents are severely, severely overrated.

I find the third option to be the most amusing. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Wait just a second...

Let's all just participate in a little reality check here, folks - just because something is named "NSA" it automatically means it has to do with the United States National Security Agency? As any Windows programmer can tell you, "LSA" in Microsoft parlance means "Local System Authority" - the subsystem that validates your logons. Why the heck shouldn't "NSA" stand for "Network System Authority"? And this is just one possibility... Geeze, the article offers ABSOLUTELY NO PROOF that the key named "NSA" stands for National Security Agency. Think before you fly off the handle.

I don't think it's for spying on people

Having used the CryptoAPI for about a year, and having been forced to get Microsoft to sign a CSP (Crypto Service Provider) for me, what it REALLY appears that the _NSAKEY value is for is this: Microsoft wanted to make sure it didn't violate US export law. They asked the US government, which replied, "Make sure that the CryptoAPI doesn't load unapproved cryptographic modules." Microsoft did this by requiring CSP developers to send the DLL to them (you can opt to send just the hash) along with a document stating whether the CSP was exportable or not. Then, someone in the government said, "Well, we want to be able to use our own CSPs in Windows without having to send them to Microsoft." They got Microsoft to add a second DLL verification check using a separate RSA key. For those who don't know, CSPs are DLLs that provide key and certificate management, hashing, and encryption/decryption services to applications. There is a small API of functions that they support. If some boogeyman wanted to spy on you through one, that means that someone would have to get that code onto your machine first, then register it (it's in the Registry under Software/Microsoft/Cryptography/Defaults/Providers ). This still leaves open the possibility that the verification code is being used to verify something else other than a CSP, but that hasn't been shown yet.

Security hole? Really??

Ehm, did anyone actually read the press release?

As far as I can tell, a competitor to Microsoft discovered the following:

* There is not one, but two keys that are used for the verification of CSP modules;
* This key is called 'NSAKEY' in the debug info for some NT4/SP5 executables.

The best you can say is that "this raises questions". It could be a "back door", but certainly no "security hole": the ability to install CSPs on a system doesn't give you a whole lot except the ability to PROVIDE AN ALTERNATIVE METHOD to encrypt/decrypt data. In other words: no existing encrypted data is compromised, and an application has to specify it WANTS to use the new CSP.

Of course it's more fun to start paranoid rants agains "M$" right away, but even for the most fanatic Microsoft-sceptic, it should be clear that:

1. The information is provided by a Microsoft competitor, and very sketchy at that;
2. It doesn't conclusively PROVE anything: just hint at certain vulnerabilities;
3. If the 'back door' indeed exists, its exploit potential is minimal.

Whatever.

CryptoAPI doc's

Here [microsoft.com] for doc's.

Re:Well, this is another argument for getting sour

You have no idea, my friend, you have no idea.

I returned to the private workforce last year aften ten years with a government entity that I cannot list on my resume. I have a cover (State) and some canned recommendations. I learned AIX while I was working for the government, and then discovered Solaris, which I like a lot. This got me a job last year without too many questions.

You have no idea how bad it has gotten. Let me fill you in:

1. Quotas: they are set in (a place in Virginia) and not in the country itself. So, a posting in some countries (Denmark or Finland) where a)no one really likes or dislikes the US - they could care less and have no real interest in providing information and b)there is just not a lot happening (we are not, for instance, likely to be invaded by Belgium any time soon) is the kiss of death to your carreer because there is no real way to make quota. Unless (and this is key), you fake it. If you have ethics, essentially, fully half of all of the postings by quantity require you to commit treason (by compromising national security by falsifying any and all contacts and records) or treat it as dead time for your future. This is the neat part -- everyone knows the system is horribly broken and every senior person there winks at the violations. Why? Whey did it themselves. Shades of grinding back at West Point (cheating, for those who didn't attend a service academy, is called grinding, and almost everyone does it).
2. Reviews: this has nothing to do with your actual performance in most cases. The station chief doesn't do them -- your immediate boss does. And, just like high school, there is a pecking order and no real control outside of that. Date a secretary that your boss is interested in, your ass is grass. I didn't, but watched someone get transferred into a carreer-ending position for that, with the suggestion in his records that he was compromising security by dating nationals. There is no meritocracy there anymore.
3. Disregard for security: this happened all the time. People would take home AND MISPLACE TS and worse. We had a person leave his briefcase in a bar. We are lucky that the bartender found it. It had detailed response plans for repelling any c/b/r attacks from a country that I can't name, but if you saw it on a map, would look an awful lot like Iraq. This was serious. It was ignored. And then there are the drinking and drug problems, mostly drinking.
4. Security: They do not get you a house at the far end of a one way street anymore. You are lucky if they try to keep your cover secret. They won't help you move in, so everyone knows that you are coming in from DC or VA someplace. They won't pay for a damned thing (not salary, which is very low, but things like furnishing a house or flat as if you really were an American marketing exec). And your family is at tremendouw risk if you take them, as a result. This was one of the main reasons I left. I spoke Spanish, I was not going to get another European posting, had studied Latin America, and had done briefings on narcoterrorism for a number of people, for a number or years. I looked at the house that they had picked out for me in Bogota -- on a busy street, with a wide alley, with overlooking apartment buildings in line-of-sight, in a neighborhood with access from FIVE directions. They couldn't have done worse if they tried. There was no way in hell that I was taking my pregnant wife there, and she felt the same way. So we both quit.

Bitter? Yes, very. But not at the concept, just the execution. At this point, we need to start over.

My God, It's a global conspiracy!

I just searched for "RSAKEY" on my system, it was found in netscape.exe! OMG Netscape is in on this too! I'm going to go throw my pc in the trash and run around my house lighting anything on fire with the word RSA on it because it might be a security risk! Ahhh it's a conspiracy!

#----------------------------
$mrp=~s/mrp/elite god/g;

Doubtful

"What the @#$% do those 3 lines of code do? Hrmmm, oh well, doesn't look like the section I was trying to find anyway . . ."

One thing you're forgetting -- generally when package maintainers (Linus, for instance) are reviewing a patch for inclusion in the distribution, they won't accept it unless they understand all the code involved.

If you tried something clever like spreading the changes across several patches, that wouldn't really work either.

[Judas] Here's my patch to fix the support for the /dev/blah device
[Maintainer] Hrm. I'll have a look.
...
[Maintainer] What's this little bit of code here do? I think you could probably shave a couple hundred instructions off here if you left it out, and it looks completely unnecessary.
[Judas] There's something screwy with the timing; that was the only way I could get it to work
[Maintainer] Hrm. That seems like a kind of awkward hack to me -- I'd like a solution I could understand better. I just replaced this with a delay loop -- I don't have the blah hardware myself though ... (to mailing list) Hey, could someone with blah hardware give this a try with my modification and see if it still works?
[Mailing List] Okay... it seems fine. In fact, one of us tried it without the delay loop, and there weren't any problems.
[Maintainer] (to Judas) I applied your patch; it seems to work fine without the bit of code though, so I just left that part out.
[Judas] Curses, foiled again!

As a modest package maintainer myself, I personally read every patch I get. Even if the patch author isn't malicious, the patch could still potentially fail in a catastrophic way due to a stupid logic error or invalid assumptions.

One thing that some people don't seem to understand about Open Source is that just because some Joe Schmoe produces some code doesn't mean that it'll end up in the official distribution.

It might be easy to read the code in the official distribution, and it might be easy to modify the code in your own copy, but it's nontrivial to quietly modify the official distribution. To submit a patch is to submit that patch to a lot of direct public scrutiny.

Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]