This topic has problably just about reached its use-by date, but I recently
saw a comment by "J. Andrs Hall" <[EMAIL PROTECTED]> on how to
cripple Microsoft's own CSP's using _NSAKEY:
>Because the person posessing the private key corresponding to _NSAKEY can now
>take a trusted, signed CSP (even
In message <[EMAIL PROTECTED]>, Peter Gutmann writes:
> Revealing the fact that CryptEncrypt() maps to a function in the
> crypto hardware called ENCRYPT probably isn't a major threat to national
> security. Existing PKCS #11 drivers also reveal details of classified crypto
> algorithms like J
Eric Murray <[EMAIL PROTECTED]> writes:
>>On Sat, Sep 04, 1999 at 01:59:01AM +0200, Lucky Green wrote:
>>>On Fri, 3 Sep 1999, Tim Dierks wrote:
>>>Even if the key belongs to the NSA, I suspect that the NSA just wanted to
>>>be able to load classified Crypto Service Providers into Windows and didn
In <000f01bef6e8$bfdc8b60$bf011712@bananas>, on 09/04/99
at 11:18 AM, "Phill Hallam-Baker" <[EMAIL PROTECTED]> said:
>>> > It works
>>> > better to patch out NSA's key with your own -- then you can load both
>>> > your own crypto code and all the standard MS stuff.
>>I'm sorry, but my origi
>> > It works
>> > better to patch out NSA's key with your own -- then you can load both
>> > your own crypto code and all the standard MS stuff.
>I'm sorry, but my original followup apparently wasn't clear enough.
>In a very important sense, it doesn't matter who actually "owns"
>the NSAKEY. W
In <[EMAIL PROTECTED]>, on 09/04/99
at 11:41 AM, Markus Kuhn <[EMAIL PROTECTED]> said:
>Please apply a bit of simple critical thinking here:
>If the NSA wanted to have real backdoor functionality, they would much
>more likely simply steal Microsofts own keys instead of embedding
>additional
The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended
Some quotes from:
http://www.wired.com/news/news/technology/story/21589.html
>"Windows is compromised!! Microsoft is in bed with the Federal
Government," wrote one poster to a mailing list addressing privacy and
crypto issues.
>
Not attributed, but that sounds like cypherpunk WG III.
Unfortun
> > It works
> > better to patch out NSA's key with your own -- then you can load both
> > your own crypto code and all the standard MS stuff.
I'm sorry, but my original followup apparently wasn't clear enough.
In a very important sense, it doesn't matter who actually "owns"
the NSAKEY. What ma
Wired.com:
> "The key is a Microsoft key -- it is not shared with any party including
> the NSA," said Windows NT security product manager Scott Culp. "We don't
> leave backdoors in any products."
>
> "The only thing that this key is used for is to ensure that only those
> products that meet US e
On Sat, Sep 04, 1999 at 01:59:01AM +0200, Lucky Green wrote:
> On Fri, 3 Sep 1999, Tim Dierks wrote:
>
> > Even if the key belongs to the NSA, I suspect that the NSA just wanted to be
> > able to load classified Crypto Service Providers into Windows and didn't
> > want to have to send said class
03, 1999 16:52
> To: Matt Blaze; Lucky Green; [EMAIL PROTECTED]
> Cc: Cryptography@C2. Net; [EMAIL PROTECTED]
> Subject: Re: NSA key in MSFT Crypto API
>
>
> At 3:48 PM -0400 on 9/3/99, Matt Blaze wrote:
>
>
> > Since anyone
> > with a debugger and a copy of an MS
At 3:48 PM -0400 on 9/3/99, Matt Blaze wrote:
> Since anyone
> with a debugger and a copy of an MS OS can find this symbol, if this is
> intended as some kind of covert mechanism, it's not very well hidden.
Though, truth be told, the symbols were supposedly *accidently* left
in on this one bui
On Fri, 3 Sep 1999, Tim Dierks wrote:
> Even if the key belongs to the NSA, I suspect that the NSA just wanted to be
> able to load classified Crypto Service Providers into Windows and didn't
> want to have to send said classified software to Microsoft for approval, so
> they got the key install
It's not clear to me why being able to sign CSP modules is a risky thing
anyway; all it means is that Windows will load and execute your crypto. The
mechanism is designed to keep overseas end users from being able to build
and install strong crypto libraries. If the NSA has a key, all they can do
> >http://www.cryptonym.com/hottopics/msft-nsa.html
>
> Perhaps more interestingly, the program lets you replace the key, too.
Microsoft prevents third parties from installing un-authorized crypto
code under CAPI by checking the signature on the code. Under their
export deal, they refuse to sig
Here's what I said about this on another list:
I must admit that this doesn't make much sense to me.
I was at Crypto, but I must have missed the rump session talk in question
(and it's entirely possible that the talk occurred anyway - I was out of the
room for a good deal of that session). In a
- Original Message -
From: Lucky Green <[EMAIL PROTECTED]>
To: cypherpunks@Algebra. COM <[EMAIL PROTECTED]>
Cc: Cryptography@C2. Net <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, September 03, 1999 12:21 AM
Subject: NSA key in MSFT Crypto API
> Perhaps not surprisingly, the debug
, anyone?
Peter Trei
> --
> From: Salz, Rich[SMTP:[EMAIL PROTECTED]]
> Sent: Friday, September 03, 1999 10:42 AM
> To: 'Lucky Green'; cypherpunks@Algebra. COM
> Cc: Cryptography@C2. Net; [EMAIL PROTECTED]
> Subject: RE: NSA key in MS
In <[EMAIL PROTECTED]>,
on 09/03/99
at 11:49 AM, "Trei, Peter" <[EMAIL PROTECTED]> said:
>The ability to replace the NSA key with another
>is an extremely serious vulnerability. This means that
>*anyone* - not just the NSA - can write a compromised
>module and install it on the target, as lo
>For more information and a program to remove the NSA's key from your copy
of
>Windows 95, 98, NT, 2000, see
>http://www.cryptonym.com/hottopics/msft-nsa.html
Perhaps more interestingly, the program lets you replace the key, too.
It requires no special privileges -- just uses some undocumented AP
21 matches
Mail list logo
