IP: two more on NSA KEy one from Spafford and one from MS

[David Farber <farber () cis upenn edu>]

X-Sender: X-Sender: spaf@128.10.2.20
Reply-To: spaf () cs purdue edu
X-URI: http://www.cerias.purdue.edu/
Date: Sat, 4 Sep 1999 11:49:52 -0500
To: farber () cis upenn edu
From: Gene Spafford <spaf () cs purdue edu>
Subject: Re: IP: Some more on "nsakey"
Cc: ip-sub-1 () admin listbox com

Well, it is always easier to believe a conspiracy theory or dark designs.

However, there may be alternative explanations.

For instance, I happen to know that various 3-letter agencies use a 
lot of Windows machines (in a sense, that should be scary all by 
itself :-).    Suppose they want to load their own highly-classified, 
very closely-guarded version of their own crypto routines.   Do you 
think they will send copies of their code out to Redmond to get it 
signed so it can be loaded?   Or are they going to sign it 
themselves, with their own key, doing it in-house where it is "safe"? 
If they are going the in-house route, then either Microsoft needs to 
share the private key with them (bad idea), or the code needs to 
accommodate a second  key schedule generated inside the TLA.    Hmmm, 
that sounds familiar, doesn't it?

Another explanation, that I may have read here (this issue has been 
discussed on many lists) is that to get the approval for export, the 
folks at MS needed to include a "back-up" key in case the first was 
compromised in some way.  They would need to switch over to using the 
alternate key for all the systems already out there.   But how would 
they do that unless the second key was already installed, so they 
could do the switch using that second key?    So, if you were MS, and 
the NSA required you to install a backup key like this, what would 
you call it?

Of course, it could be that MS wanted the backup key themselves, and 
the programmer involved in the coding decided to name it something 
silly.

Or, there is a history of MS code being shipped with undocumented 
code elements, and things that MS management don't know are present. 
Suppose the code (involving only a few lines of code) was placed 
there by an agent of the intelligence services of some other country 
(it wouldn't be that hard to subvert an existing employee or place 
one at MS with good coding skills who could eventually gain access to 
the appropriate code).  He/she names the variables with "NSA" in 
place in case anyone doing a code review would question it -- and 
includes a comment block that says "The NSA required this to be here 
-- do not change or ask questions."   The "sinister purpose" might be 
correct, but you are blaming the wrong entity.

Heck, maybe this is a grand design of Mr. Gates himself: after all, 
he's certainly having some aggravation from the U.S. Justice 
Department!

There are other possible explanations for the name, too.

These alternate explanations do not mean that the extra key does not 
have side-effects (such as clandestine installation and circumvention 
of the export controls).     And of course, we will probably never 
know what the primary reason for this key is, nor will we know what 
role these side-effects may have had in the decision, despite what 
people eventually claim.

The key thought is that there are possible scenarios for the naming 
of the key that do not involve nefarious activity, or do not involve 
such activity by the NSA.     That should not be the immediate 
conclusion people reach.

And, at the risk of starting some tirades, let me ask a (rhetorical) 
question:  even if it was put there for purposes of clandestine 
monitoring, what is wrong with that?   If this gets used to monitor 
terrorists with NBC weapons, drug cartels, or weapons labs in Iraq, 
isn't that what we want done?  In that light, there should be some 
concern that this has now been exposed and possibly nullified!   The 
history of cryptography shows -- repeatedly -- that having crypto 
assets makes a huge difference in times of conflict, and that getting 
such assets in place and working takes time.    It would be naive to 
believe that there are no such threats looming, or that there is no 
such likelihood in the future.

We should be clear in our discussions as to whether our concern is 
the presence of the code, or over who may have control of it.   Is 
the issue really one of what controls are in place that ensure that 
the code isn't used against inappropriate targets (e.g., law-abiding, 
friendly businesses and citizens)?   Unfortunately, we don't have 
strong assurances in this realm, and there have been some past abuses 
(or alleged abuses).   But that may be moot if the code was actually 
placed for some other group's dark design.

--spaf

> From: "the terminal of Geoff Goodfellow" <geoff () iconia com>
> To: "Dave e-mail pamphleteer Farber" <farber () cis upenn edu>
>
> Microsoft Says Speculation About Security and NSA is 'Inaccurate and 
> Unfounded'
> PR Newswire, Sep 3 20:35
>
> REDMOND, Wash., Sept. 3 /PRNewswire/ -- Microsoft Corp. said today that
> speculation about Microsoft(R) Windows(R) security and the U.S. National
> Security Agency (NSA) is "inaccurate and unfounded."
>
> In response to speculation by a Canadian cryptography company that Microsoft
> had somehow allowed the NSA to hold a "backdoor" key to the encryption
> framework in its Windows operating system, Microsoft issued the following
> statement:
>
> "This report is inaccurate and unfounded. The key in question is a Microsoft
> key. It is maintained and safeguarded by Microsoft, and we have not 
> shared this
> key with the NSA or any other party.
>
> "Microsoft takes security very seriously. This speculation is ironic since
> Microsoft has consistently opposed the various key escrow proposals suggested
> by the government because we don't believe they are good for consumers, the
> industry or national security.
>
> "Contrary to this report, the key in question would not allow 
> security services
> to be started or stopped without the user's knowledge."
>
> Microsoft said the key is labeled "NSA key" because NSA is the 
> technical review
> authority for U.S. export controls, and the key ensures compliance with U.S.
> export laws. The company reiterated that Microsoft has not shared 
> this key with
> the NSA or any other company or agency.
>
> Founded in 1975, Microsoft (NASDAQ:MSFT) is the worldwide leader in software
> for personal computers. The company offers a wide range of products and
> services for business and personal use, each designed with the mission of
> making it easier and more enjoyable for people to take advantage of the full
> power of personal computing every day.
>
> NOTE: Microsoft and Windows are either registered trademarks or trademarks of
> Microsoft Corp. in the United States and/or other countries. Other product and
> company names herein may be trademarks of their respective owners. SOURCE
> Microsoft Corp.
> -0- 09/03/1999
> /NOTE TO EDITORS: If you are interested in viewing additional information on
> Microsoft, please visit the Microsoft Web page at
> http://www.microsoft.com/presspass/ on Microsoft's corporate information
> pages./
>
> /CONTACT: press only, Jennifer Todd of Waggener Edstrom, 425-637-9097, or
> jtodd () wagged com, for Microsoft; or Mark Murray of Microsoft, 425-936-3306, or
> mmurray () microsoft com/
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Geoff_Goodfellow () iconia com, Prague CZ * tel/mobil +420 (0)603 706 558
> "Success is getting what you want & happiness is wanting what you get"
> http://www.nytimes.com/library/tech/99/01/biztech/articles/17drop.html