[PGP]: Bruce Schneier weighs in
--- begin forwarded text Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm-idx-0.40(alpha) Reply-To: [EMAIL PROTECTED] From: "grt" [EMAIL PROTECTED] Organization: ... To: [EMAIL PROTECTED] Date: Sat, 4 Sep 1999 09:24:02 -0400 CC: [EMAIL PROTECTED] Priority: normal Subject: [PGP]: Bruce Schneier weighs in FYI from: sci.crypt subject: NSA and MS windows A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1pid=47aid=52 Useful news article: http://www.wired.com/news/news/technology/story/21577.html ** Bruce Schneier, President, Counterpane SystemsPhone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com - To retrieve this thread, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] DO NOT send administrative requests/command to the list! Thanks. --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
ADMIN: enough _NSAKEY for now
Okay, I think we're rubble bouncing now. I'm going to start ruthlessly trimming the _NSAKEY stuff until there is some actual new news. I might allow through something with particularly interesting insights or which sheds new light on things. If and when there are news reports with substantive new data, I'll loosen up again. -- Perry Metzger [EMAIL PROTECTED] -- "Ask not what your country can force other people to do for you..."
NSA aka 'Big Brother' in Lotus Notes
btw. I had a go at reverse engineering Lotus Notes a few months back to get the NSA's key out of it. I found the key, and the DN (Distinguished Name -- the name attatched to the key) was 'Big Brother'. Spooky huh? Someone at IBM had a sense of humor, or a sense of resentment about having to implement GAK. I did not however reverse engineer in sufficient detail to work out the big number representation to extract the actual the modulus and exponent with good confidence. Still on my 'to do' list. If anyone wants to give it a go -- I'll be happy to share notes. (Lotus Notes was the application which was in the news a while back when the Swedish(?) government adopted Lotus Notes for their email solution and only realised it had key escrow with the NSA able to decrypt mail with a work factor of only 2^40. (IBM's key escrow technique is to have 24 bits escrowed with NSA, 40 not escrowed; which makes 64 bits to everyone else, but only 40 for the NSA). Adam
Re: NSA key in MSFT Crypto API
Some quotes from: http://www.wired.com/news/news/technology/story/21589.html "Windows is compromised!! Microsoft is in bed with the Federal Government," wrote one poster to a mailing list addressing privacy and crypto issues. Not attributed, but that sounds like cypherpunk WG III. Unfortunately also these quotes from Russ Cooper, moderator of the NTBugtraq Windows security resource: He said the lion's share of individuals overreacting to the claims are freedom fighters and privacy advocates. "Unfortunately they have a loud voice," he said. "I don't think they are representative of the average person, the real people that populate the Net," he said. "We give away all kinds of things, every day, that sacrifice our privacy. These privacy advocates, I'd put them in the category of the Michigan Militia, the Ruby Ridge folks." Apparently, according to Cooper, privacy folks are not like "real people". His comment not only dismissese the seriousness of the immediate issue (which may or may not prove to be valid ultimately) but he seems to consider those who raise such questions government intrusion as some form of crackpot not to be taken seriously (real people shouldn't mind privacy intrusion). jay
Re: NSA key in MSFT Crypto API
The actual funny story behind the presence of the NSA key has been seriously misunderstood here. CSP verification keys have only one *real* purpose: They are intended to enforce the US export restriction requirement that Microsoft is not allowed to ship software abroad that can easily be extended with strong cryptography. They are certainly not intended as any useful form of integrity protection for your system. The NSA got their own CSP verification key, because they want to be able to change their own secret US government CSPs required for the handling of classified documents, without having to go to Microsoft each time to get a signature for an NSA CSP update. Fair enough. So Microsoft built in a second verification key such that the NSA can produce and install on DoD PCs their own CSPs without requiring any Microsoft involvement. The real funny part is that Microsoft did not protect the NSA key particularly well, such that everyone can easily replace the NSA key easily with his own key. This was reported by Nicko van Someren at the Crypto'98 rump session. This means that everyone can now easily install his own CSPs with arbitrarily strong cryptography. This means that the NSA's demand to get quickly a second key added led in effect to the easy international availability of strong encryption CSPs. My guess is that this is Microsoft's sweet revenge against the NSA for creating all these Export hassles (e.g., the requirement that CSPs be signed) in the first place. It backfired nicely against the NSA. :) All this has nothing to do with an NSA backdoor, because the CSP keys are an export enforcement tool and not an integrity protection tool. They do not protect all parts of the system that could be compromised by someone who wants to install some eavesdropping malware. The CSP verification keys only authenticate that no cryptography that violates export laws has been installed. If you are worried about the NSA installing malicious software on your PC, you should not rely on the CSP verification keys (which were never designed for that purpose anyway), but on virus scanners with tripwire functionality that report any modifications to your DLLs. There is no digital signature functionality required to implement these, simple secure hash algorithms will perfectly do. Please apply a bit of simple critical thinking here: If the NSA wanted to have real backdoor functionality, they would much more likely simply steal Microsofts own keys instead of embedding additional keys with an obvious symbol name. Remember: The NSA is the world's largest key thief. They have stolen crypto variables from well-protected military and government agencies from all over the world using the usual repertoire of techniques (bribery, extortion, eavesdropping, hacking, infiltration, etc.). If they can do it with eastern military agencies, they can most certainly also do it easily with Microsoft, which is orders of magnitudes less well protected than the usual NSA target. If there is a real NSA backdoor key in Windows, that it would certainly be identical to Microsoft's own key. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: http://www.cl.cam.ac.uk/~mgk25/
Re: NSA key in MSFT Crypto API
In [EMAIL PROTECTED], on 09/04/99 at 11:41 AM, Markus Kuhn [EMAIL PROTECTED] said: Please apply a bit of simple critical thinking here: If the NSA wanted to have real backdoor functionality, they would much more likely simply steal Microsofts own keys instead of embedding additional keys with an obvious symbol name. Remember: The NSA is the world's largest key thief. They have stolen crypto variables from well-protected military and government agencies from all over the world using the usual repertoire of techniques (bribery, extortion, eavesdropping, hacking, infiltration, etc.). If they can do it with eastern military agencies, they can most certainly also do it easily with Microsoft, which is orders of magnitudes less well protected than the usual NSA target. If there is a real NSA backdoor key in Windows, that it would certainly be identical to Microsoft's own key. Markus, Have you considered the idea that perhaps the keys are being used for more than what M$ claims (not that M$ would ever lie to us g)? If you were going to build a backdoor into a system at the OS level wouldn't it be nice to add some PK authentication into it so only you and no one else could make use of it? I think that this may better explain multiple keys than the weak excuses coming from the Redmond spin doctors. Note: for those of you who don't think a big corporation like M$ would compromise their systems for the NSA remember Crypto AG Lotus. -- --- William H. Geiger III http://www.openpgp.net Geiger ConsultingCooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii Hi Jeff!! :) ---
RE: NSA key in MSFT Crypto API
It works better to patch out NSA's key with your own -- then you can load both your own crypto code and all the standard MS stuff. I'm sorry, but my original followup apparently wasn't clear enough. In a very important sense, it doesn't matter who actually "owns" the NSAKEY. What matters is that there is a second key, that this key can be used to verify CSP's, that it can be replaced without adversely affecting the rest of the "operating system," and that no special privileges are needed to do the replacement. A program that does exactly this is already available. Rich, that is simply not fair. If MSFT had created a complete operating system in which every component was digitally signed (a damn good idea BTW) and there was no other means of running a component than it was signed a backdoor key would be a serious issue. MSFT has not done anything remotely like that. They have merely created a crypto system that passes the ludicrous crypto export rules. If as MSFT claim they still have full control of both keys the fact one is labelled NSA is pretty irrelevant. The only relevant fact is that the second key can be easilly replaced thus invalidating the whole export control concept. The 128 bit patch is already circulating freely in Europe. The significant fact of the second key is that it means that European software vendors can distribute it with product - as US companies such as Quicken do today. So if someone can persuade Eidos to distribute the patch with Tombraider4 the optimim distribution path is probably realized. Another interesting legal avenue would be for MSFT to request export permission for the 128 bit patch then when it is refused take it to the courts. The ITAR act quite clearly excludes technology which is freely available outside the US. There would be a direct correspondence between a European 128 bit patch and a US 128 bit patch. A victory on summary judgement could well be possible. Whether this is advisable for MSFT is another issue. Many in Congress are still upset that MSFT took so long to start making significant campaign contributions. Phill PS: I have long said that we will know that the US govt cannot be trusted on Key escrow for as long as the police headquarters are named after J. Edgar Hoover. This brings up the question of who the building should be renamed after. My personal choice would be to name the building after William Jefferson Clinton since he was so closely attentive to the work of the FBI for much of his presidential term.
RE: NSA key in MSFT Crypto API
In 000f01bef6e8$bfdc8b60$bf011712@bananas, on 09/04/99 at 11:18 AM, "Phill Hallam-Baker" [EMAIL PROTECTED] said: It works better to patch out NSA's key with your own -- then you can load both your own crypto code and all the standard MS stuff. I'm sorry, but my original followup apparently wasn't clear enough. In a very important sense, it doesn't matter who actually "owns" the NSAKEY. What matters is that there is a second key, that this key can be used to verify CSP's, that it can be replaced without adversely affecting the rest of the "operating system," and that no special privileges are needed to do the replacement. A program that does exactly this is already available. Rich, that is simply not fair. If MSFT had created a complete operating system in which every component was digitally signed (a damn good idea BTW) and there was no other means of running a component than it was signed a backdoor key would be a serious issue. MSFT has not done anything remotely like that. They have merely created a crypto system that passes the ludicrous crypto export rules. So they say. If as MSFT claim they still have full control of both keys the fact one is labelled NSA is pretty irrelevant. Again lets stress "If as MSFT claim" they have yet to provide any proof one way or the other as to what is going on. I wouldn't believe the M$ spin doctors any more than I believe Bill Clinton didn't inhale. The only relevant fact is that the second key can be easilly replaced thus invalidating the whole export control concept. No, the relevant fact is regardless of what M$ is doning or not doing with these keys their software is insecure. It hardly matters to the end user, who's security has been compromised, wether the flaw was a malicious act or just plain incompetence. The 128 bit patch is already circulating freely in Europe. The significant fact of the second key is that it means that European software vendors can distribute it with product - as US companies such as Quicken do today. What 128 bit patch? All I have seen is a patch to replace the NSAKEY with a different key. So if someone can persuade Eidos to distribute the patch with Tombraider4 the optimim distribution path is probably realized. Another interesting legal avenue would be for MSFT to request export permission for the 128 bit patch then when it is refused take it to the courts. The ITAR act quite clearly excludes technology which is freely available outside the US. There would be a direct correspondence between a European 128 bit patch and a US 128 bit patch. A victory on summary judgement could well be possible. LOL!!! I think you need to re-read the export regulations. Not only is the above false there is explicit restrictions against the re-export of cryptology. BTW it is no longer ITAR but EAR, the change was back in '96. Whether this is advisable for MSFT is another issue. Many in Congress are still upset that MSFT took so long to start making significant campaign contributions. Phill PS: I have long said that we will know that the US govt cannot be trusted on Key escrow for as long as the police headquarters are named after J. Edgar Hoover. This brings up the question of who the building should be renamed after. My personal choice would be to name the building after William Jefferson Clinton since he was so closely attentive to the work of the FBI for much of his presidential term. Hey why not, replace the name of one statist with another. Phil you really should stick to socialist advocacy. -- --- William H. Geiger III http://www.openpgp.net Geiger ConsultingCooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii Hi Jeff!! :) ---
Re: Paul Brown on Solitiare randomness flaw?
In v04210152b3f61485313b@[192.168.248.7], on 09/03/99 at 05:20 PM, Dave Del Torto [EMAIL PROTECTED] said: Does anyone (or you, Bruce?) have a URL handy to/for an paper (by Paul Brown in the UK?) speculating on a RNG weakness in Solitiare's (Bruce's playing card cipher)? I've been searching the web unsuccessfully. The paper may mention it as "Pontifex", as it was referred to in "Cryptonomicon." The implication is that it may not be as secure as I'd hoped, and that I should *not* train some human rights people on how to use it in the field... Hi Dave, I did some searching through my digital library. Take a look at: http://www.hedonism.demon.co.uk/paul/solitaire/index.html -- --- William H. Geiger III http://www.openpgp.net Geiger ConsultingCooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii Hi Jeff!! :) ---