[CTRL] The Myth of Microsoft Security

[Kris Millegan]

 -Caveat Lector-

from:
http://www.aci.net/kalliste/microsof_nsa.htm
<A HREF="http://www.aci.net/kalliste/microsof_nsa.htm">The Myth of Microsoft
Security</A>
-----


The Myth of Microsoft Security


------------------------------------------------------------------------


Prologue

Robert Novak Hypes "Microsoft's Powerful Codes"

Buzzwords, by J. Orlin Grabbe
=====
from:
http://www.aci.net/kalliste/novak.htm

Buzz Words



by J. Orlin Grabbe



Latest to join the ranks of encryption-nazis, along with en vogue
 bashing of Bill Gates, is Robert Novak, a columnist for the Chicago
Sun-Times and regular on CNN’s Capital Gang. Writing in a June 28 column
"A high-tech defeat," Novak drags out the tired boogeyman of
"international drug lords" and "drug cartels" to explain why the DEA’s
Thomas A. Constantine and the FBI’s Louis J. Freeh should be able to
listen to our conversations at their leisure. The fact they can’t is all
the fault of Bill Gates ("the world’s richest man," Novak darkly notes)
because "encryption devices sold by his company and used by
international drug lords are so powerful they cannot be deciphered by
law enforcement." Gee, fancy that.



The satire is all the richer once one realizes that Novak may believe
his own moronic bilge. Let’s summarize the plot and the cast of bit
players.



First we have Bill Gates, an evil plutocrat who is being taken to task
for not selling shoddy-enough products: his software actually runs on
some computers, and his encryption devices can’t be broken by Beavis and
Butthead.



"As Gates knows, no computer is big enough to break Microsoft’s new
codes," warns Robert Novak, crusading journalist, moral conscience of
the nation, and also secretly-paid Microsoft PR agent whose primary task
is to promote the notion that some of Microsoft’s encryption products
are actually secure.



Next, we have "career cop" Thomas Constantine, the ring-leader of a gang
of pirates whose main job is to protect the high profit margins
available to approved dealers of illicit drugs by busting the
competition and thus restricting the supply. Constantine has in recent
years graduated to international bank theft as noted in a previous issue
of Liberty ("The Money Laundromat," November 1995).



Then there are the Freehstone Kops, who (headed by a panty-waist in
elevator shoes) are actually scared of real criminals, and so prefer to
content themselves with monitoring the conversations of widows and
orphans, and others they can easily pick on. In recent years, the Kops
have adopted the motto that "if you can’t beat ‘em, join ‘em," and
(according to detailed journalistic accounts and court filings) become
heavily involved in protecting the drug trade in locations such as
Montana. However, part of their operation has now fallen apart,
apparently because they weren’t using Microsoft’s "powerful" encryption
products.



Now for the plot complication. Are you ready? The evil Drug Lords, who
work hand-in-hand with Bill Gates to provide a paycheck to the Con and
the Kops, have discovered—prepare yourself now, are you ready?—LEVEL TWO
ENCRYPTION. Their billions in drug profits had not previously allowed
the Drug Lords to reach this plateau of enlightenment, but now with the
aid of the sinister Bill Gates they have gotten their mojo working.



Crusading moralist Novak explains: "Freeh and Constantine are desperate.
Wiretapping is law enforcement's biggest weapon, authorized by court
order 1,329 times nationwide in 1998—72 percent for drug cases. No
longer able to infiltrate the narcotics apparatus, the DEA depends on
eavesdropping.

"But intercepted conversations now are interrupted by a steady buzz,
signifying that intelligible conversation is encrypted. What experts
call ‘level-one encryption’ could be decoded, but the drug lords have
turned to ‘level two.’



" ‘And we can't break it,’ Constantine told me. ‘There's no big computer
in Livermore [Calif.] or in New York City that you can take your staff
to and say, "Take the buzz, and make it into words." It's just that
encryption is ahead of the power of the decrypt.’ The agents need the
key supplied by the manufacturers."



Closely pursued by a STEADY BUZZ, Con and Kops go in search of the
sacred keys. After many adventures and close calls, the pair of lovable
rogues rescue a sexy blonde, Helga, 19, whose bits were previously held
in bondage to Microsoft’s powerful codes. She gives them a list of
computer manufacturers: Compaq, Dell, Apple, IBM . . . .



"You left off Microsoft," Con points out suspiciously.



"Microsoft doesn’t manufacture computers," Helge explains with a flutter
of her eyelashes. "We need the keys supplied by the manufacturers,
remember?"



Their team is soon joined by Novak, the crusading journalist and Jesus
of juju. He hastily delivers the latest news: ". . . the Senate and
House Commerce committees last week approved bills to end export
controls over encryption systems to which law enforcement and national
security officials have no access. That would give the big drug cartels,
now based in Mexico, worry-free communications with their U.S.
operatives."



"But wait," Helga says, puzzled. "If the Drug Lords can ship tanker
loads of drugs across the border, why is it they can’t smuggle a few
floppy disks, containing powerful encryption programs, or just buy them
overseas—or even learn to use the Internet?"



"Hush!" commands Novak. "You are giving away national security secrets
that they"—he indicates Con and Kops—"are not permitted to know."



In his June 28 column, Novak quotes Constantine about Bill Gates and his
colleagues: "Their No. 1 concern is to make money. They don't live in a
neighborhood where their mother is shot and killed by dope peddlers in a
gang war."



Funny, Edgar Bronfman—who sells a legal drug called alcohol—doesn’t live
in one of those neighborhoods either. Come to think of it, neither does
Louis Freeh or Thomas Constantine. In fact, I’ll bet Robert Novak’s
mother wasn’t killed by a drug dealer, any more than Bill Gate’s was.
Let’s face it: Freeh, Constantine, and Novak are all getting paid to do
what they do. They’re all in it for the money.



Keep that in mind the next time you read a column by the evil plutocrat,
cryptologically- illiterate, Big-Brother advocate, and purveyor of
buzz-words Robert Novak.



Liberty, September 1999
=====


------------------------------------------------------------------------
The News

The "NSA Backdoor" in Microsoft Windows

The Story Behind the Sound and Fury

=====
from:
http://www.cryptonym.com/hottopics/msft-nsa.html

Microsoft, the NSA, and You


Here is the press release; for the full details, look here.

A sample program which replaces the NSA's key is here, at the bottom of
the page.

FOR IMMEDIATE RELEASE

Microsoft Installs US Spy Agency with Windows

Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and
browser bugs, Microsoft has a dismal track record in computer security.
Most of us accept these minor security flaws and go on with life. But
how is an IT manager to feel when they learn that in every copy of
Windows sold, Microsoft may have installed a 'back door' for the
National Security Agency (NSA - the USA's spy agency) making it orders
of magnitude easier for the US government to access their computers?

While investigating the security subsystems of WindowsNT4, Cryptonym's
Chief Scientist Andrew Fernandes discovered exactly that - a back door
for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on
the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture
for security flaws. Since the CryptoAPI is the fundamental building
block of cryptographic security in Windows, any flaw in it would open
Windows to electronic attack.

Normally, Windows components are stripped of identifying information. If the
computer is calculating "number_of_hours = 24 * number_of_days", the only
thing a human can understand is that the computer is multiplying "a = 24 * b".
Without the symbols "number_of_hours" and "number_of_days", we may have no
idea what 'a' and 'b' stand for, or even that they calculate units of time.

In the CryptoAPI system, it was well known that Windows used special numbers
called "cryptographic public keys" to verify the integrity of a CryptoAPI
component before using that component's services. In other words, programmers
already knew that windows performed the calculation "component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly
what the cryptographic key "23479237498234..." meant semantically.

Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it allows
them to securely load CryptoAPI services; the second belongs to the NSA. That
means that the NSA can also securely load CryptoAPI services... on your
machine, and without your authorization.

The result is that it is tremendously easier for the NSA to load unauthorized
security services on all copies of Microsoft Windows, and once these security
services are loaded, they can effectively compromise your entire operating
system. For non-American IT managers relying on WinNT to operate highly secure
data centers, this find is worrying. The US government is currently making it
as difficult as possible for "strong" crypto to be used outside of the US;
that they have also installed a cryptographic back-door in the world's most
abundant operating system should send a strong message to foreign IT managers.

There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way the
crypto verification occurs, users can easily eliminate or replace the NSA key
from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows, without
Microsoft's or the NSA's approval. Thus the NSA has effectively removed export
control of "strong" crypto from Windows. A demonstration program that replaces
the NSA key can be found on Cryptonym's website.

Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure.

Interview Contact:
   Andrew Fernandes
   Telephone: +1 919 469 4714
   email: [EMAIL PROTECTED]
   Fax: +1 919 469 8708

Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada  L5E 2T2

http://www.cryptonym.com

# # #




------------------------------------------------------------------------


The Full Details


These details are essentially the contents of the "Rump Session" talk
that Andrew Fernandes gave at the Crypto'99 Conference, on
15 August 1999, in Santa Barbara, California.
An Overview of the Microsoft's CryptoAPI


Microsoft's CryptoAPI allows independent software vendors (ISVs) to
dynamically load Cryptographic Serivce Providers (CSPs) as in the
following diagram:



This arrangement of having Windows verify the CSP signature is what
allows Microsoft to add cryptographic functionality to Windows. They
will not digitally sign a CSP unless you first agree to abide by US
export rules. Translation: Microsoft will not allow non-US companies to
add strong crypto functions to Windows.

Fortunately, the verification of the CSP's digital signature opens up a
security flaw in this picture.
Observations


Using NT4 Server, SP5 (domestic, 128-bit encryption version), and Visual
C++ 6, SP3. These same results have been found in Win95osr2, Win98,
Win98gold, WinNT4 (all versions), and Win2000 (up to and including build
2072, RC1).


Before CSP loading
 in ADVAPI32.DLL
Address 0x77DF5530

->
A9 F1 CB 3F DB 97 F5 ... ... ...
Address 0x77DF55D0

->
90 C6 5F 68 6B 9B D4 ... ... ...
After RC4 encryption using
 we see
A2 17 9C 98 CA

=>
R S A 1 ... 00 01 00 01 ... (looks like an RSA public key)
A0 15 9E 9A CB

=>
R S A 1 ... 00 01 00 01 ... (looks like an RSA public key)
Looking at SP5 debugging symbols
 in "_CProvVerifyImage@8"
Address 0x77DF5530

<-
has data tag "_KEY"
Address 0x77DF55D0

<-
has data tag "_NSAKEY"

Screenshots One, Two, Three, Four, and Five showing the actual debugging
information.
The Flaw

An attack:

•Replace "_KEY" with your own key...
•...but Windows will stop working since it cannot verify it's own
security subsystem!
An better attack:

•Replace "_NSAKEY" with your own key...
•... Windows keeps working, since Microsoft's key is still there
•stops the NSA
•works becaus Windows tries to verify the CSP first using "_KEY", and
then silently fails over to "_NSAKEY"
The Result:

•Windows CryptoAPI system still functional
•the NSA is kicked out
•the user can load an arbitrary CSP, not just one that Microsoft or the
NSA signed!
Implications

1.What is the purpose of "_NSAKEY"? Espionage? Or do they simply not
want to rely on Microsoft when installing their own CSPs?
2.Using RSA's Data Security's (now Security Dynamics) "BSafe" toolkit
actually makes analysis of a program easier.
3.We do not need to modify the "advapi32.dll" file in order to remove
the NSA key, nor do we need special privilleges on the machine. a.use
self-modifying code
b.needs undocumented vxd calls under Win95 and Win98
c.needs special memory features under WinNT and Win2k 4.It is easy for
any process to bypass any CSP and substitute its own.
5.Export controll is effectively dead for Windows.
6.Note for Win2k - there appear to be three keys in Win2k; Microsoft's,
the NSA's, and an unknown third party's. Thanks to Nicko van Someren for
bringing this to our attention.
Removing the NSA


A sample program which replaces the NSA key with a test key, and leaves
the rest of the CryptoAPI system intact, can be downloaded here
 (currently only for WinNT and Win2k). For legal reasons, source code
will be provided for free, but only be available through a Nondisclosure
Agreement with Cryptonym. These files are provided for demonstration
purposes only, and may not be redistributed or used for any purpose
other than demonstration without the written authorization and license o
f Cryptonym Corporation. For more information, please contact:
Andrew Fernandes
email: [EMAIL PROTECTED]
Phone +1 919 469 4714
Fax   +1 919 469 8708




------------------------------------------------------------------------
:: Home :: Products :: Services :: Research :: Hot Topics :: Company
Info :: Contact Us ::
Copyright © 1999 Cryptonym Corporation. All rights reserved.
=====


------------------------------------------------------------------------
Analysis

Analysis By People We Trust I: Markus Kuhn


Subject: Re: NSA key in MSFT Crypto API
Date: Sat, 04 Sep 1999 11:41:02 +0100
From: Markus Kuhn
To: "cypherpunks@Algebra. COM" ,
     "'Salz, Rich'" ,
     "Cryptography@C2. Net" ,
     [EMAIL PROTECTED]

The actual funny story behind the presence of the NSA key has been
seriously misunderstood here. CSP verification keys have only one *real*
purpose: They are intended to enforce the US export restriction
requirement that Microsoft is not allowed to ship software abroad that
can easily be extended with strong cryptography. They are certainly not
intended as any useful form of integrity protection for your system.

The NSA got their own CSP verification key, because they want to be able
to change their own secret US government CSPs required for the handling
of classified documents, without having to go to Microsoft each time to
get a signature for an NSA CSP update. Fair enough. So Microsoft built
in a second verification key such that the NSA can produce and install
on DoD PCs their own CSPs without requiring any Microsoft involvement.

The real funny part is that Microsoft did not protect the NSA key
particularly well, such that everyone can easily replace the NSA key
easily with his own key. This was reported by Nicko van Someren at the
Crypto'98 rump session. This means that everyone can now easily install
his own CSPs with arbitrarily strong cryptography. This means that the
NSA's demand to get quickly a second key added led in effect to the easy
international availability of strong encryption CSPs. My guess is that
this is Microsoft's sweet revenge against the NSA for creating all these
Export hassles (e.g., the requirement that CSPs be signed) in the first
place. It backfired nicely against the NSA. :)

All this has nothing to do with an NSA backdoor, because the CSP keys
are an export enforcement tool and not an integrity protection tool.
They do not protect all parts of the system that could be compromised by
someone who wants to install some eavesdropping malware. The CSP
verification keys only authenticate that no cryptography that violates
export laws has been installed. If you are worried about the NSA
installing malicious software on your PC, you should not rely on the CSP
verification keys (which were never designed for that purpose anyway),
but on virus scanners with tripwire functionality that report any
modifications to your DLLs. There is no digital signature functionality
required to implement these, simple secure hash algorithms will
perfectly do.

Please apply a bit of simple critical thinking here:

If the NSA wanted to have real backdoor functionality, they would much
more likely simply steal Microsofts own keys instead of embedding
additional keys with an obvious symbol name. Remember: The NSA is the
world's largest key thief. They have stolen crypto variables from
well-protected military and government agencies from all over the world
using the usual repertoire of techniques (bribery, extortion,
eavesdropping, hacking, infiltration, etc.). If they can do it with
eastern military agencies, they can most certainly also do it easily
with Microsoft, which is orders of magnitudes less well protected than
the usual NSA target. If there is a real NSA backdoor key in Windows,
that it would certainly be identical to Microsoft's own key.

Markus

--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org,  WWW:



------------------------------------------------------------------------
Analysis

Analysis By People We Trust II: Bruce Schneier


from: sci.crypt
subject: NSA and MS windows

A few months ago in my newsletter Crypto-Gram, I talked about
Microsoft's system for digitally signing cryptography suits that go
into its operating system.  The point is that only approved crypto
suites can be used, which makes thing like export control easier.
Annoying as it is, this is the current marketplace.

Microsoft has two keys, a primary and a spare.  The Crypto-Gram
article talked about attacks based on the fact that a crypto suite
is considered signed if it is signed by EITHER key, and that there
is no mechanism for transitioning from the primary key to the
backup.  It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.

Suddenly there's a flurry of press activity because someone notices
that the second key is called "NSAKEY" in the code.  Ah ha!  The NSA
can sign crypto suites.  They can use this ability to drop a
Trojaned crypto suite into your computers.  Or so the conspiracy
theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it
would be much easier to either 1) convince MS to tell them the
secret key for MS's signature key, 2) get MS to sign an
NSA-compromised module, 3) install a module other than Crypto API to
break the encryption (no other modules need signatures).  It's
always easier to break good encryption.

Second, NSA doesn't need a key to compromise security in Windows.
Programs like Back Orifice can do it without any keys.  Attacking
the Crypto API still requires that the victim run an executable
(even a Word macro) on his computer.  If you can convince a victim
to run an untrusted macro, there are a zillion smarter ways to
compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY."
Lots of people have access to source code within Microsoft; a
conspiracy like this would only be known by a few people.  Anyone
with a debugger could have found this "NSAKEY."  If this is a covert
mechanism, it's not very covert.

I see two possibilities.  One, that the backup key is just as
Microsoft says, a backup key.  It's called "NSAKEY" for some dumb
reason, and that's that.

Two, that it is actually an NSA key.  If the NSA is going to use
Microsoft products for classified traffic, they're going to install
their own cryptography.  They're not going to want to show it to
anyone, not even Microsoft.  They are going to want to sign their
own modules.  So the backup key could also be an NSA internal key,
so that they could install strong cryptography on Microsoft products
for their own internal use.

But it's not an NSA key so they can secretly install weak
cryptography on the unsuspecting masses.  There are just too many
smarter things they can do to the unsuspecting masses.

My original article:

http://www.counterpane.com/crypto-gram-9904.html#certificates

Announcement:

http://www.cryptonym.com/hottopics/msft-nsa.html

Nice analysis:

http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52

Useful news article:

http://www.wired.com/news/news/technology/story/21577.html
********************************************************************
** Bruce Schneier, President, Counterpane Systems    Phone:
612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN  55419
Fax: 612-823-1590           Free crypto newsletter.  See:
http://www.counterpane.com



Posted Sept. 4, 1999
Web Page: http://www.aci.net/kalliste/homepage.html
-----
Aloha, He'Ping,
Om, Shalom, Salaam.
Em Hotep, Peace Be,
Omnia Bona Bonis,
All My Relations.
Adieu, Adios, Aloha.
Amen.
Roads End
Kris

DECLARATION & DISCLAIMER
==========
CTRL is a discussion and informational exchange list. Proselyzting propagandic
screeds are not allowed. Substance—not soapboxing!  These are sordid matters
and 'conspiracy theory', with its many half-truths, misdirections and outright
frauds is used politically  by different groups with major and minor effects
spread throughout the spectrum of time and thought. That being said, CTRL
gives no endorsement to the validity of posts, and always suggests to readers;
be wary of what you read. CTRL gives no credeence to Holocaust denial and
nazi's need not apply.

Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://home.ease.lsoft.com/archives/CTRL.html

http:[EMAIL PROTECTED]/
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om