NSA in MS crypto API?



** *** ***** ******* *********** *************

       NSA Key in Microsoft Crypto API?



A few months ago, I talked about Microsoft's system for digitally signing
cryptography suites that go into its operating system.  The point is that
only approved crypto suites can be used, which makes thing like export
control easier.  Annoying as it is, this is the current marketplace.

Microsoft has two keys, a primary and a spare.  The Crypto-Gram article
talked about attacks based on the fact that a crypto suite is considered
signed if it is signed by EITHER key, and that there is no mechanism for
transitioning from the primary key to the backup.  It's stupid
cryptography, but the sort of thing you'd expect out of Microsoft.

Suddenly there's a flurry of press activity because someone notices that
the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is
called "NSAKEY" in the code.  Ah ha!  The NSA can sign crypto suites.  They
can use this ability to drop a Trojaned crypto suite into your computers.
Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be
much easier to either 1) convince MS to tell them the secret key for MS's
signature key, 2) get MS to sign an NSA-compromised module, or 3) install a
module other than Crypto API to break the encryption (no other modules need
signatures).  It's always easier to break good encryption by attacking the
random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows.  Programs
like Back Orifice can do it without any keys.  Attacking the Crypto API
still requires that the victim run an executable (even a Word macro) on his
computer.  If you can convince a victim to run an untrusted macro, there
are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"?  Lots
of people have access to source code within Microsoft; a conspiracy like
this would only be known by a few people.  Anyone with a debugger could
have found this "NSAKEY."  If this is a covert mechanism, it's not very covert.

I see two possibilities.  One, that the backup key is just as Microsoft
says, a backup key.  It's called "NSAKEY" for some dumb reason, and that's
that.

Two, that it is actually an NSA key.  If the NSA is going to use Microsoft
products for classified traffic, they're going to install their own
cryptography.  They're not going to want to show it to anyone, not even
Microsoft.  They are going to want to sign their own modules.  So the
backup key could also be an NSA internal key, so that they could install
strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly inflict weak cryptography on
the unsuspecting masses.  There are just too many smarter things they can
do to the unsuspecting masses.

My original article:
http://www.counterpane.com/crypto-gram-9904.html#certificates

Announcement:
http://www.cryptonym.com/hottopics/msft-nsa.html

Nice analysis:
http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52

Useful news article:
http://www.wired.com/news/news/technology/story/21577.html