NSAKEY

_NSAKEY is the name of a variable discovered in August 1999 in the Operating system Windows NT 4 (SP5) of Microsoft. This version was diffused without the information intended for the Débogage being removed.

The variable discovered by Andrew D. Fernandes of Cryptonym Corporation contained a public key of 1024 bits. The news caused an general outcry and the appearance of various rumors concerning a possible governmental conspiracy. If NSA were indeed in possession of the secret key corresponding to the key present in Windows NT, it had been possible for the government agency to quantify data coming from the users and, with the complicity of Microsoft, to recover this information.

Context

Any cryptographic continuation integrated within the operating systems of Microsoft requires to be signed numerically. This procedure facilitates the steps near the American administration charged to check the exported products, EAR (Export Administration Regulations). This entity belongs to the Département the Commercial and includes/understands BXA (Bureau off Export Administration).

The use of two keys by Microsoft was already known. Both being able to produce valid signatures. The first key was contained in the variable _KEY, Fernandes discovered the second.

Reaction of Microsoft

Microsoft refuted the charges: “(...) this report/ratio is inaccurate and unfounded. The key in question is a key of Microsoft. It is maintained and (the secret key) is preserved at the shelter. We did not divide this key with the NSA or any other third party. (...)”. The symbol _NSAKEY had been allotted because of the technical expertises and control to export operated by the NSA. The key was also compatible with the laws of export of the the United States.

But certain declarations of Microsoft, whereas the discussion beat full sound, worsened even more the Paranoïa.

The conference The Computers, Freedom and Privacy 2000 took place of the 4 with the April 7th 2000 with Toronto. At the time of a presentation, Duncan Campbell, journalist and Senior Research Fellow within the Electronic Privacy Information Center (EPIC), mentioned that the controversy related to the _NSAKEY was an striking example of the problems involved in safety and the monitoring.

Richard Purcell, director of the section Corporate Privacy of Microsoft, spoke with Campbell after his presentation to clear up this polemic. Immediately after the conference, Scott Culp of the Security Response Center of Microsoft contacted Campbell and proposed to him to answer its questions. If their exchanges were courteous at the beginning, the discussion envenima quickly. Campbell affirmed that Culp was evasive and Culp on its side declared, that in a hostile intention, Campbell did not cease putting questions which he had already answered.

The April 28th 2000, Culp declared that “we undoubtedly reached the end of this discussion (...) which is quickly being inserted in the kingdom of the conspiracy”. The other interrogations of Campbell remained unanswered.

Other theories

After a polemic with various cryptographic expertises, several conclusions were advanced. Certain observers, whose Fernandes, doubted that BXA imposed a specific safeguard of the keys. However, none the partisans of this thesis estimated to have necessary competence for formally proving it.

Microsoft insisted that the second key is presented like a safeguard. If the first secret key had suddenly been lost, Microsoft could always work with the other pair. Fernandes and Bruce Schneier announced their doubt as for the relevance of this explanation. For them, the best means of preserving a secret key consists to divide it into several pieces which would be distributed to trustworthy persons. Such a solution would be much more robust than to use two keys. If the second key had been lost, Microsoft would have owed “patcher” or to update the whole of the copies of Windows in the world, just as all the modules as the company could have signed. If a person had suddenly lost a piece of the key, a exhaustive Recherche would be necessary but on less low number of bits. With 64 people, a key of 1024 bits would be divided in segments of 16 bits, a segment could be found in the space of a few seconds in so far as the 63 other segments are available. Even if three segments had suddenly missed, research would relate to 2⁴⁸ values, an order of accessible magnitude for a company like Microsoft.

Another conclusion affirms that the second key was intended for signatures apart from the United States, while remaining compatible with the payments of the BXA. If the cryptographic modules were to be signed in several places, the use of several keys seemed more logical. However, no cryptographic module seems to be signed by the _NSAKEY and Microsoft contradicted that another authority of certification existed.

A third possibility would relate to the NSA and other government agencies which, to be able to sign their own cryptographic modules, would use the secret key. These modules with classified algorithms would be used within the agencies without being transmitted to Microsoft. Such a possibility would allow de facto the NSA to sign modules which could make Windows more vulnerable. One however pointed out that there were simpler means to put at evil an installation of Windows without passing by the API one of cryptography.

Microsoft affirmed that the NSA did not have the secret key corresponds to the _NSAKEY. The key is to date still present in Windows but it was re-elected in “_KEY2”.

Keys with format PGP

In September 1999, an anonymous researcher applied Retro-engineering to the keys to obtain the data equivalent to the format PGP and published the result on a Serveur of keys:

Principal key

Bits type/KeyID Dates To use ID pub 1024/346B5095 1999/09/06 Microsoft' S CAPI key

-----PUBLIC BEGIN PGP KEY BLOCK----- Version: 2.6.3i mQCPAzfTc8YAAAEEALJz4nepw3XHC7dJPlKws2li6XZiatYJujG+asysEvHz2mwY 2WlRggxFfHtMSJO9FJ3ieaOfbskm01RNs0kfoumvG/gmCzsPut1py9d7KAEpJXEb F8C4d+r32p0C3V+FcoVOXJDpsQz7rq+Lj+HfUEe8GIKaUxSZu/SegCE0a1CVABEB AAG0L01pY3Jvc29mdCdzIENBUEkga2V5IDxwb3N0bWFzdGVyQG1pY3Jvc29mdC5j b20+iQEVAwUQN9Nz5j57yqgoskVRAQFr/gf8DGm1hAxWBmx/0bl4m0metM+IM39J yI5mub0ie1HRLExP7lVJezBTyRryV3tDv6U3OIP+KZDthdXb0fmGU5z+wHt34Uzu xl6Q7m7oB76SKfNaWgosZxqkE5YQrXXGsn3oVZhV6yBALekWtsdVaSmG8+IJNx+n NvMTYRUz+MdrRFcEFDhFntblI8NlQenlX6CcnnfOkdR7ZKyPbVoSXW/Z6q7U9REJ TSjBT0swYbHX+3EVt8n2nwxWb2ouNmnm9H2gYfXHikhXrwtjK2aG/3J7k6EVxS+m Rp+crFOB32sTO1ib2sr7GY7CZUwOpDqRxo8KmQZyhaZqz1x6myurXyw3Tg== =ms8C -----PUBLIC END PGP KEY BLOCK-----

Secondary key (_NSAKEY)

Bits type/KeyID Dates To use ID pub 1024/51682D1F 1999/09/06 NSA' S Microsoft CAPI key -----PUBLIC BEGIN PGP KEY BLOCK----- Version: 2.6.3i mQCPAzfTdH0AAAEEALqOFf7jzRYPtHz5PitNhCYVryPwZZJk2B7cNaJ9OqRQiQoi e1YdpAH/OQh3HSQ/butPnjUZdukPB/0izQmczXHoW5f1Q5rbFy0y1xy2bCbFsYij 4ReQ7QHrMb8nvGZ7OW/YKDCX2LOGnMdRGjSW6CmjK7rW0veqfoypgF1RaC0fABEB AAG0LU5TQSdzIE1pY3Jvc29mdCBDQVBJIGtleSA8cG9zdG1hc3RlckBuc2EuZ292 PokBFQMFEDfTdJE+e8qoKLJFUQEBHnsH/ihUe7oq6DhU1dJjvXWcYw6p1iW+0euR YfZjwpzPotQ8m5rC7FrJDUbgqQjoFDr++zN9kD9bjNPVUx/ZjCvSFTNu/5X1qn 1r it7IHU/6Aem1h4Bs6KE5MPpjKRxRkqQjbW4f0cgXg6+LV+V9cNMylZHRef3PZCQa 5DOI5crQ0IWyjQCt9br07BL9C3X5WHNNRsRIr9WiVfPK8eyxhNYl/NiH2GzXYbNe UWjaS2KuJNVvozjxGymcnNTwJltZK4RLZxo05FW2InJbtEfMc+m823vVltm9l/f+ n2iYBAaDs6I/0v2AcVKNy19Cjncc3wQZkaiIYqfPZL19kT8vDNGi9uE= =PhHT -----PUBLIC END PGP KEY BLOCK-----

References

Correspondence between Culp and Campbell
Analysis of Bruce Schneier
keys after retro-engineering

Random links: