Re: NSA key in MSFT Crypto API

[Markus.Kuhn () CL CAM AC UK (Markus Kuhn)]

The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended with strong cryptography. They are certainly not
intended as any useful form of integrity protection for your system.

The NSA got their own CSP verification key, because they want to be able
to change their own secret US government CSPs required for the handling
of classified documents, without having to go to Microsoft each time to
get a signature for an NSA CSP update. Fair enough. So Microsoft built
in a second verification key such that the NSA can produce and install
on DoD PCs their own CSPs without requiring any Microsoft involvement.

The real funny part is that Microsoft did not protect the NSA key
particularly well, such that everyone can easily replace the NSA key
easily with his own key. This was reported by Nicko van Someren at the
Crypto'98 rump session. This means that everyone can now easily install
his own CSPs with arbitrarily strong cryptography. This means that the
NSA's demand to get quickly a second key added led in effect to the easy
international availability of strong encryption CSPs. My guess is that
this is Microsoft's sweet revenge against the NSA for creating all these
Export hassles (e.g., the requirement that CSPs be signed) in the first
place. It backfired nicely against the NSA. :)

All this has nothing to do with an NSA backdoor, because the CSP keys
are an export enforcement tool and not an integrity protection tool.
They do not protect all parts of the system that could be compromised by
someone who wants to install some eavesdropping malware. The CSP
verification keys only authenticate that no cryptography that violates
export laws has been installed. If you are worried about the NSA
installing malicious software on your PC, you should not rely on the CSP
verification keys (which were never designed for that purpose anyway),
but on virus scanners with tripwire functionality that report any
modifications to your DLLs. There is no digital signature functionality
required to implement these, simple secure hash algorithms will
perfectly do.

Please apply a bit of simple critical thinking here:

If the NSA wanted to have real backdoor functionality, they would much
more likely simply steal Microsofts own keys instead of embedding
additional keys with an obvious symbol name. Remember: The NSA is the
world's largest key thief. They have stolen crypto variables from
well-protected military and government agencies from all over the world
using the usual repertoire of techniques (bribery, extortion,
eavesdropping, hacking, infiltration, etc.). If they can do it with
eastern military agencies, they can most certainly also do it easily
with Microsoft, which is orders of magnitudes less well protected than
the usual NSA target. If there is a real NSA backdoor key in Windows,
that it would certainly be identical to Microsoft's own key.

Markus

--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org,  WWW: <http://www.cl.cam.ac.uk/~mgk25/>