Re: FW: Microsoft, the NSA, and You.

Keith Dawson (
Sun, 5 Sep 1999 10:47:53 -0400

>What a mess......a warm cup of FUD anyone??

Here's my bits on the subject, yesterday's Tasty Bit o'th' Day.
Keith Dawson
Layer of ash separates morning and evening milk.


..The Microsoft _NSAkey flap

By now you've heard all about the extra signing key found in Micro-
soft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the
posting by Andrew Fernandes that started all the fuss [1]. The BBC
has an annotated screen shot [2] of a debugger session showing the
variable named, portentiously, _NSAkey. Microsoft's official re-
sponse [3] to the flap makes a whole lot more sense than assuming
that the National Security Agency had somehow weakened Microsoft's
crypto and tagged the fix "_NSAkey." To put a few authoritative
nails in this coffin, read the thoughts of Russ Cooper [4], propri-
etor of NTBugTraq, and of the noted cryptographer Bruce Schneier

The investigations of Fernandes (building on work last year by Nicko
van Someren and Adi Shamir) have publicized a way to disable crypto
export control in Windows. Anyone outside the US can replace _NSAkey
with their own key, and use that key to sign a crypto module of any
strength, and then use that strong crypto under the auspices of Win-
dows. But note that this impotence of Microsoft's CryptoAPI to con-
trol what crypto gets run is not new news. Bruce Schneier pointed
out this Windows weakness in his CRYPTO-GRAM newsletter last April
[6], before anybody discovered the name of the replaceable second

What will be the fallout of this security fiasco? Even more people
will be made aware that Microsoft security is porous. Even more
people will learn of the utter inability of US controls to stop the
export of technology which truly escaped a decade ago. And even
fewer people will believe what Microsoft says, even though in the
matter of the _NSAkey the company is probably telling the gospel