j-orlin-grabbe

The Myth of Microsoft Security

Sept. 4, 1999

Prologue

Robert Novak Hypes "Microsoft's Powerful Codes"  Buzzwords, by J. Orlin Grabbe

The "NSA Backdoor" in Microsoft Windows

FOR IMMEDIATE RELEASE Microsoft Installs US Spy Agency with Windows Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and browser bugs, Microsoft has a dismal track record in computer security. Most of us accept these minor security flaws and go on with life. But how is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft may have installed a 'back door' for the National Security Agency (NSA - the USA's spy agency) making it orders of magnitude easier for the US government to access their computers? While investigating the security subsystems of WindowsNT4, Cryptonym's Chief Scientist Andrew Fernandes discovered exactly that - a back door for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in 'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture for security flaws. Since the CryptoAPI is the fundamental building block of cryptographic security in Windows, any flaw in it would open Windows to electronic attack. Normally, Windows components are stripped of identifying information. If the computer is calculating "number_of_hours = 24 * number_of_days", the only thing a human can understand is that the computer is multiplying "a = 24 * b". Without the symbols "number_of_hours" and "number_of_days", we may have no idea what 'a' and 'b' stand for, or even that they calculate units of time. In the CryptoAPI system, it was well known that Windows used special numbers called "cryptographic public keys" to verify the integrity of a CryptoAPI component before using that component's services. In other words, programmers already knew that windows performed the calculation "component_validity = crypto_verify
(23479237498234...,crypto_component)",
but no-one knew exactly what the cryptographic key "23479237498234..." meant semantically. Then came WindowsNT4's Service Pack 5. In this service release of software from Microsoft, the company crucially forgot to remove the symbolic information identifying the security components. It turns out that there are really two keys used by Windows; the first belongs to Microsoft, and it allows them to securely load CryptoAPI services; the second belongs to the NSA. That means that the NSA can also securely load CryptoAPI services... on your machine, and without your authorization. The result is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system. For non-American IT managers relying on WinNT to operate highly secure data centers, this find is worrying. The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US; that they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers. There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of "strong" crypto from Windows. A demonstration program that replaces the NSA key can be found on Cryptonym's website. Cryptonym: Bringing you the Next Generation of Internet Security, using cryptography, risk management, and public key infrastructure. Interview Contact: Andrew Fernandes Telephone: +1 919 469 4714 email: andrew@cryptonym.com Fax: +1 919 469 8708 Cryptonym Corporation 1695 Lincolnshire Boulevard Mississauga, Ontario Canada L5E 2T2 http://www.cryptonym.com

 

Analysis By People We Trust I: Markus Kuhn

Subject: Re: NSA key in MSFT Crypto API Date: Sat, 04 Sep 1999 11:41:02 +0100 From: Markus Kuhn markus.kuhn@cl.cam.ac.uk To: "cypherpunks@Algebra. COM" cypherpunks@algebra.com, "'Salz, Rich'" salzr@certco.com, "Cryptography@C2. Net" cryptography@c2.net, bugtraq@securityfocus.com The actual funny story behind the presence of the NSA key has been seriously misunderstood here. CSP verification keys have only one *real* purpose: They are intended to enforce the US export restriction requirement that Microsoft is not allowed to ship software abroad that can easily be extended with strong cryptography. They are certainly not intended as any useful form of integrity protection for your system. The NSA got their own CSP verification key, because they want to be able to change their own secret US government CSPs required for the handling of classified documents, without having to go to Microsoft each time to get a signature for an NSA CSP update. Fair enough. So Microsoft built in a second verification key such that the NSA can produce and install on DoD PCs their own CSPs without requiring any Microsoft involvement. The real funny part is that Microsoft did not protect the NSA key particularly well, such that everyone can easily replace the NSA key easily with his own key. This was reported by Nicko van Someren at the Crypto'98 rump session. This means that everyone can now easily install his own CSPs with arbitrarily strong cryptography. This means that the NSA's demand to get quickly a second key added led in effect to the easy international availability of strong encryption CSPs. My guess is that this is Microsoft's sweet revenge against the NSA for creating all these Export hassles (e.g., the requirement that CSPs be signed) in the first place. It backfired nicely against the NSA. :) All this has nothing to do with an NSA backdoor, because the CSP keys are an export enforcement tool and not an integrity protection tool. They do not protect all parts of the system that could be compromised by someone who wants to install some eavesdropping malware. The CSP verification keys only authenticate that no cryptography that violates export laws has been installed. If you are worried about the NSA installing malicious software on your PC, you should not rely on the CSP verification keys (which were never designed for that purpose anyway), but on virus scanners with tripwire functionality that report any modifications to your DLLs. There is no digital signature functionality required to implement these, simple secure hash algorithms will perfectly do. Please apply a bit of simple critical thinking here: If the NSA wanted to have real backdoor functionality, they would much more likely simply steal Microsofts own keys instead of embedding additional keys with an obvious symbol name. Remember: The NSA is the world's largest key thief. They have stolen crypto variables from well-protected military and government agencies from all over the world using the usual repertoire of techniques (bribery, extortion, eavesdropping, hacking, infiltration, etc.). If they can do it with eastern military agencies, they can most certainly also do it easily with Microsoft, which is orders of magnitudes less well protected than the usual NSA target. If there is a real NSA backdoor key in Windows, that it would certainly be identical to Microsoft's own key. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: http: www.cl.cam.ac.uk ~mgk25 cryptography@c2.net salzr@certco.com cypherpunks@algebra.com markus.kuhn@cl.cam.ac.uk

Analysis By People We Trust II: Bruce Schneier

from: sci.crypt subject: NSA and MS windows A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html
Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid;=47&aid;=52 Useful news article:
http://www.wired.com/news/news/ technology/story/21577.html
*******************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway,
Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com

orlin-grabbe-dot-com