NSA key plant in windows .. detect & defuse info

Sep 7 21:57 UTC 1999

Microsoft, the NSA, and You

Here is the press release; for the full details, look here.

A sample program which replaces the NSA's key is here, at the 
bottom of the page.

FOR IMMEDIATE RELEASE 

Microsoft Installs US Spy Agency with Windows 

Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and
browser bugs, Microsoft has a dismal track record in computer security.
Most of us accept these minor security flaws and go on with life. But
how is an IT manager to feel when they learn that in every copy of
Windows sold, Microsoft may have installed a 'back door' for the
National Security Agency (NSA - the USA's spy agency) making it orders
of magnitude easier for the US government to access their computers? 

While investigating the security subsystems of WindowsNT4, Cryptonym's
Chief Scientist Andrew Fernandes discovered exactly that - a back door
for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on
the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture
for security flaws. Since the CryptoAPI is the fundamental building
block of cryptographic security in Windows, any flaw in it would open
Windows to electronic attack.

Normally, Windows components are stripped of identifying information. If the
computer is calculating "number_of_hours = 24 * number_of_days", the only
thing a human can understand is that the computer is multiplying "a = 24 * b".
Without the symbols "number_of_hours" and "number_of_days", we may have no
idea what 'a' and 'b' stand for, or even that they calculate units of time. 

In the CryptoAPI system, it was well known that Windows used special numbers
called "cryptographic public keys" to verify the integrity of a CryptoAPI
component before using that component's services. In other words, programmers
already knew that windows performed the calculation "component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly
what the cryptographic key "23479237498234..." meant semantically. 

Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it allows
them to securely load CryptoAPI services; the second belongs to the NSA. That
means that the NSA can also securely load CryptoAPI services... on your
machine, and without your authorization. 

The result is that it is tremendously easier for the NSA to load unauthorized
security services on all copies of Microsoft Windows, and once these security
services are loaded, they can effectively compromise your entire operating
system. For non-American IT managers relying on WinNT to operate highly secure
data centers, this find is worrying. The US government is currently making it
as difficult as possible for "strong" crypto to be used outside of the US;
that they have also installed a cryptographic back-door in the world's most
abundant operating system should send a strong message to foreign IT managers.

There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way the
crypto verification occurs, users can easily eliminate or replace the NSA key
from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows, without
Microsoft's or the NSA's approval. Thus the NSA has effectively removed export
control of "strong" crypto from Windows. A demonstration program that replaces
the NSA key can be found on Cryptonym's website. 

Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure. 

Interview Contact:
   Andrew Fernandes
   Telephone: +1 919 469 4714
   email: andrew@cryptonym.com
   Fax: +1 919 469 8708 

Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada  L5E 2T2 

http://www.cryptonym.com 

# # #

The Full Details

These details are essentially the contents of the "Rump Session" 
talk that Andrew Fernandes gave at the Crypto'99
Conference, on 15 August 1999, in Santa Barbara, California.

Note 1: many people have written us and assumed that we 
"reverse engineered" Microsoft's code. This is not true; we did not
reverse engineer Microsoft code at any time. In fact, the 
debugging symbols were found using standard Microsoft-purchased
programmer's tools, completely by accident, when debugging 
one of our own programs.

Note 2: many reporters have stated that Andrew studied 
computer science at the University of Waterloo and was a
classmate of Ian Goldberg of Zero Knowlege Systems. In 
fact, Andrew studied biochemistry and mathematics at Waterloo
for his undergraduate, and mathematics at McGill for his 
graduate work. He and Ian graduated in the same year, but really did
not know each other at the time.

An Overview of the Microsoft's CryptoAPI

Microsoft's CryptoAPI allows independent software 
vendors (ISVs) to dynamically load Cryptographic Serivce Providers
(CSPs) as in the following diagram:

<<text prohibits 'following diagram.'>>

This arrangement of having Windows verify the CSP 
signature is what allows Microsoft to add cryptographic functionality to
Windows. They will not digitally sign a CSP unless 
you first agree to abide by US export rules. Translation: Microsoft will not
allow non-US companies to add strong crypto functions to Windows.

Fortunately, the verification of the CSP's digital s
ignature opens up a security flaw in this picture.

Observations

Using NT4 Server, SP5 (domestic, 128-bit encryption version), 
and Visual C++ 6, SP3. These same results have been found
in Win95osr2, Win98, Win98gold, WinNT4 (all versions), and Win2000 
(up to and including build 2072, RC1).

Many people have emailed us to say that these debugging symbols 
are actually present in NT4-Workstation, and are in the
original CD's debugging symbols! Thanks, people!

             Before CSP loading         in ADVAPI32.DLL

             Address 0x77DF5530   ->    A9 F1 CB 3F DB 97 F5 ... ... ...
             Address 0x77DF55D0   ->    90 C6 5F 68 6B 9B D4 ... ... ...
  
                                 
                                     
    After RC4 encryption using          we see

                A2 17 9C 98 CA   =>     R S A 1 ... 00 01 00 01 ...
                                        (looks like an RSA public key)

                A0 15 9E 9A C8   =>     R S A 1 ... 00 01 00 01 ...
                                        (looks like an RSA public key)
  
                                 
                                     
  Looking at SP5 debugging symbols in   "_CProvVerifyImage@8"

    Address 0x77DF5530   <-     has data tag "_KEY"

    Address 0x77DF55D0   <-     has data tag "_NSAKEY"


Screenshots One:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-1.gif, 

Two:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-2.gif, 

Three:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-3.gif, 

Four:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-4.gif, 

and Five:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-5.gif 

showing the actual debugging information.

The Flaw

An attack:

     Replace "_KEY" with your own key... 
     ...but Windows will stop working since it cannot verify its 
        own security subsystem! 

An better attack:

     Replace "_NSAKEY" with your own key... 
     ... Windows keeps working, since Microsoft's key is still there 
     stops the NSA 
     works because Windows tries to verify the CSP first using "_KEY", 
        and then silently fails over to "_NSAKEY" 

The Result:

     Windows CryptoAPI system still functional 
     the NSA is kicked out 
     the user can load an arbitrary CSP, not just one that Microsoft 
        or the NSA signed! 

Implications

   1.What is the purpose of "_NSAKEY"? Espionage? Or do they simply not 
        want to rely on Microsoft when installing their own CSPs? 
   2.Using RSA's Data Security's (now Security Dynamics) "BSafe" toolkit 
        actually makes analysis of a program easier. 
   3.We do not need to modify the "advapi32.dll" file in order to remove 
        the NSA key, nor do we need special privilleges on the machine. 
        a.use self-modifying code 
        b.needs undocumented vxd calls under Win95 and Win98 
        c.needs special memory features under WinNT and Win2k 
   4.It is easy for any process to bypass any CSP and substitute its own. 
   5.Export control is effectively dead for Windows. 
   6.Note for Win2k - there appear to be three keys in Win2k; Microsoft's, 
        the NSA's, and an unknown third party's.

     Thanks to Nicko van Someren for bringing this to our attention. 

Removing the NSA

A sample program which replaces the NSA key with a test key, and 
leaves the rest of the CryptoAPI system intact, can be
downloaded by clicking this link (to):
  
http://www.cryptonym.com/hottopics/msft-nsa/ReplaceNsaKey.zip

(currently only for WinNT and Win2k). 

For legal reasons, source code will be provided for
free, but only be available through a Nondisclosure Agreement with 
Cryptonym. You can download the NDA here. These files are provided 
for demonstration purposes only, and may not be 
redistributed or used for any purpose other than demonstration
without the written authorization and license of Cryptonym Corporation. 
For more information, please contact:

Andrew Fernandes 
email: andrew@cryptonym.com
Phone +1 919 469 4714
Fax   +1 919 469 8708

        Win95/98 Programmers: we could use help in porting the software 
to Win95/98. If you have a strong background in
Win95/98 virtual memory management, virtual device writing, and Windows 
'internals', and don't mind volunteering your time,
please contact Andrew at the addresses above!

response 2 of 29:

Sep 8 01:08 UTC 1999

I don't use *any* service packs with NT. How does that affect this?

response 4 of 29:

Sep 8 04:27 UTC 1999

I spent the weekend in 'Silicon Valley' and this is 'all the buzz'
there.  Apparently a lot of 'micro$ofty' types are rather pissed that at
the same time they are cooperating with 'the government' on
cryptographic issues the same 'government' is going after them for
'anti-trust' violations - thus perhaps the 'forgetting' to 'strip' the
code prior to release was somewhat less than accidental at some low
level.  (Surely the Micro$oft top level management wouldn't be so shrewd
as to 'play hardball'  with 'the government'?)

Interesting story, but we are too busy hashing over 6 year old Waco
Wacko stuff to pay attention.

response 6 of 29:

Sep 8 06:34 UTC 1999

So the NSA can 'get in' silly.  And why does Micro$oft feel it needs to
'get in' to any OS it sells in the first place?  So Micro$oft has the
ability to read all 'crypted' traffic of its users?  There is a
legitimate need for that?  Is that what they are saying?  So Micro$oft
can read all 'secure' traffic of its users if it feels the 'need' to?
Wow.  All I can say is, Wow. This is 'science fiction' novel type stuff,
who woulda thunk it was real world kinda thingy.  Neato-keen.

response 8 of 29:

Sep 8 08:29 UTC 1999

So, the NSA can read your mail?  Don't your trust them?  They are your
government after all, if you can't trust them, then who can you trust?

You can trust your government. Yep, Just like the 80 or so DEAD at the
WACO Wacko compound could, to murder them.  But you are not a Waco
Wacko.  OK, fine.  You are not a Wacko.  You are a student at a major
midwest university, and your date gets a bit odd, and you step out of
the car with your cellphone where you call your momma to ask for help
and 'boom' you are shot dead.  Ooops.  So sorry, you are dead.

But innocent people have nothing to fear and should welcome 'big
brother'. Oh, sure.  Ok.  no problemo by me.
I am innocent, I know nothing....

response 10 of 29:

Sep 8 18:45 UTC 1999

  re #8:  Wow!  You've certainly convinced ME!!  I AM a student at a major
  midwestern university (though I don't have a cell phone) and had *no idea*
  how dangerous it was to use Microsoft products.  From now on I'll
  JUST SAY NO!

response 12 of 29:

Sep 8 19:02 UTC 1999

Linked to the cyberpunk conference.  Check out our discussions of the
social implications of our networked digital present (and future).

response 14 of 29:

Sep 10 14:15 UTC 1999

good thing i use linux and don't have to worry about this.

response 16 of 29:

Sep 10 19:11 UTC 1999

I recall reading that during the public comment period on the wiretapping
requirement legislation backed by the FBI, they had 300 letters opposing
and three in favor.  And of course, it passed.

response 18 of 29:

Sep 11 04:51 UTC 1999

I'm with McNally on this - the conclusion that this is a backdoor for
the NSA is unwarranted from the evidence.  But it is interesting to
observe that if you are concerned about privacy, you might be better off
with public software instead of private software.

response 20 of 29:

Sep 12 05:41 UTC 1999

  more like "the most likely" answer, rather than the "right" answer..

response 22 of 29:

Sep 15 01:20 UTC 1999

On the other hand, I could be wrong about the Microsoft/NSA link.  Today
my windows machine popped up a little box saying:

    This program has performed an illegal operation.
    The NSA has been notified and will shut you down.

response 24 of 29:

Sep 15 03:09 UTC 1999

  Or he could be joking..