|
|
|
Microsoft, the NSA, and You
Here is the press release; for the full details, look here.
A sample program which replaces the NSA's key is here, at the
bottom of the page.
FOR IMMEDIATE RELEASE
Microsoft Installs US Spy Agency with Windows
Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks and
browser bugs, Microsoft has a dismal track record in computer security.
Most of us accept these minor security flaws and go on with life. But
how is an IT manager to feel when they learn that in every copy of
Windows sold, Microsoft may have installed a 'back door' for the
National Security Agency (NSA - the USA's spy agency) making it orders
of magnitude easier for the US government to access their computers?
While investigating the security subsystems of WindowsNT4, Cryptonym's
Chief Scientist Andrew Fernandes discovered exactly that - a back door
for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on
the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture
for security flaws. Since the CryptoAPI is the fundamental building
block of cryptographic security in Windows, any flaw in it would open
Windows to electronic attack.
Normally, Windows components are stripped of identifying information. If the
computer is calculating "number_of_hours = 24 * number_of_days", the only
thing a human can understand is that the computer is multiplying "a = 24 * b".
Without the symbols "number_of_hours" and "number_of_days", we may have no
idea what 'a' and 'b' stand for, or even that they calculate units of time.
In the CryptoAPI system, it was well known that Windows used special numbers
called "cryptographic public keys" to verify the integrity of a CryptoAPI
component before using that component's services. In other words, programmers
already knew that windows performed the calculation "component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly
what the cryptographic key "23479237498234..." meant semantically.
Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it allows
them to securely load CryptoAPI services; the second belongs to the NSA. That
means that the NSA can also securely load CryptoAPI services... on your
machine, and without your authorization.
The result is that it is tremendously easier for the NSA to load unauthorized
security services on all copies of Microsoft Windows, and once these security
services are loaded, they can effectively compromise your entire operating
system. For non-American IT managers relying on WinNT to operate highly secure
data centers, this find is worrying. The US government is currently making it
as difficult as possible for "strong" crypto to be used outside of the US;
that they have also installed a cryptographic back-door in the world's most
abundant operating system should send a strong message to foreign IT managers.
There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way the
crypto verification occurs, users can easily eliminate or replace the NSA key
from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows, without
Microsoft's or the NSA's approval. Thus the NSA has effectively removed export
control of "strong" crypto from Windows. A demonstration program that replaces
the NSA key can be found on Cryptonym's website.
Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure.
Interview Contact:
Andrew Fernandes
Telephone: +1 919 469 4714
email: andrew@cryptonym.com
Fax: +1 919 469 8708
Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada L5E 2T2
http://www.cryptonym.com
# # #
The Full Details
These details are essentially the contents of the "Rump Session"
talk that Andrew Fernandes gave at the Crypto'99
Conference, on 15 August 1999, in Santa Barbara, California.
Note 1: many people have written us and assumed that we
"reverse engineered" Microsoft's code. This is not true; we did not
reverse engineer Microsoft code at any time. In fact, the
debugging symbols were found using standard Microsoft-purchased
programmer's tools, completely by accident, when debugging
one of our own programs.
Note 2: many reporters have stated that Andrew studied
computer science at the University of Waterloo and was a
classmate of Ian Goldberg of Zero Knowlege Systems. In
fact, Andrew studied biochemistry and mathematics at Waterloo
for his undergraduate, and mathematics at McGill for his
graduate work. He and Ian graduated in the same year, but really did
not know each other at the time.
An Overview of the Microsoft's CryptoAPI
Microsoft's CryptoAPI allows independent software
vendors (ISVs) to dynamically load Cryptographic Serivce Providers
(CSPs) as in the following diagram:
<<text prohibits 'following diagram.'>>
This arrangement of having Windows verify the CSP
signature is what allows Microsoft to add cryptographic functionality to
Windows. They will not digitally sign a CSP unless
you first agree to abide by US export rules. Translation: Microsoft will not
allow non-US companies to add strong crypto functions to Windows.
Fortunately, the verification of the CSP's digital s
ignature opens up a security flaw in this picture.
Observations
Using NT4 Server, SP5 (domestic, 128-bit encryption version),
and Visual C++ 6, SP3. These same results have been found
in Win95osr2, Win98, Win98gold, WinNT4 (all versions), and Win2000
(up to and including build 2072, RC1).
Many people have emailed us to say that these debugging symbols
are actually present in NT4-Workstation, and are in the
original CD's debugging symbols! Thanks, people!
Before CSP loading in ADVAPI32.DLL
Address 0x77DF5530 -> A9 F1 CB 3F DB 97 F5 ... ... ...
Address 0x77DF55D0 -> 90 C6 5F 68 6B 9B D4 ... ... ...
After RC4 encryption using we see
A2 17 9C 98 CA => R S A 1 ... 00 01 00 01 ...
(looks like an RSA public key)
A0 15 9E 9A C8 => R S A 1 ... 00 01 00 01 ...
(looks like an RSA public key)
Looking at SP5 debugging symbols in "_CProvVerifyImage@8"
Address 0x77DF5530 <- has data tag "_KEY"
Address 0x77DF55D0 <- has data tag "_NSAKEY"
Screenshots One:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-1.gif,
Two:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-2.gif,
Three:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-3.gif,
Four:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-4.gif,
and Five:
http://www.cryptonym.com/hottopics/msft-nsa/AdvApi32dll-5.gif
showing the actual debugging information.
The Flaw
An attack:
Replace "_KEY" with your own key...
...but Windows will stop working since it cannot verify its
own security subsystem!
An better attack:
Replace "_NSAKEY" with your own key...
... Windows keeps working, since Microsoft's key is still there
stops the NSA
works because Windows tries to verify the CSP first using "_KEY",
and then silently fails over to "_NSAKEY"
The Result:
Windows CryptoAPI system still functional
the NSA is kicked out
the user can load an arbitrary CSP, not just one that Microsoft
or the NSA signed!
Implications
1.What is the purpose of "_NSAKEY"? Espionage? Or do they simply not
want to rely on Microsoft when installing their own CSPs?
2.Using RSA's Data Security's (now Security Dynamics) "BSafe" toolkit
actually makes analysis of a program easier.
3.We do not need to modify the "advapi32.dll" file in order to remove
the NSA key, nor do we need special privilleges on the machine.
a.use self-modifying code
b.needs undocumented vxd calls under Win95 and Win98
c.needs special memory features under WinNT and Win2k
4.It is easy for any process to bypass any CSP and substitute its own.
5.Export control is effectively dead for Windows.
6.Note for Win2k - there appear to be three keys in Win2k; Microsoft's,
the NSA's, and an unknown third party's.
Thanks to Nicko van Someren for bringing this to our attention.
Removing the NSA
A sample program which replaces the NSA key with a test key, and
leaves the rest of the CryptoAPI system intact, can be
downloaded by clicking this link (to):
http://www.cryptonym.com/hottopics/msft-nsa/ReplaceNsaKey.zip
(currently only for WinNT and Win2k).
For legal reasons, source code will be provided for
free, but only be available through a Nondisclosure Agreement with
Cryptonym. You can download the NDA here. These files are provided
for demonstration purposes only, and may not be
redistributed or used for any purpose other than demonstration
without the written authorization and license of Cryptonym Corporation.
For more information, please contact:
Andrew Fernandes
email: andrew@cryptonym.com
Phone +1 919 469 4714
Fax +1 919 469 8708
Win95/98 Programmers: we could use help in porting the software
to Win95/98. If you have a strong background in
Win95/98 virtual memory management, virtual device writing, and Windows
'internals', and don't mind volunteering your time,
please contact Andrew at the addresses above!
29 responses total.
and the site works in lynx as well, in fact, i think it works *better* in lynx http://www.cryptonym.com than with a browser ...
I don't use *any* service packs with NT. How does that affect this?
re #2: It doesn't affect it a great deal, so far as anyone can tell.
The structures mentioned are in the code of both the original
release versions and the post-service pack versions. What's
*known* to be different on machines on which the latest service
packs have been installed is that a new version of the appropriate
OS component has been compiled and that it apparently was not
stripped of symbol-table information before distribution.
To my knowledge, at least, nobody has documented other changes
beyond the fixes Microsoft has announced.
re #0, 1: Having read a bit of what's going around the net about this
particular issue, I think it's wildly irresponsible to conclude
"Microsoft has installed a backdoor for the NSA" based on the
evidence known so far, which rests almost exclusively on the
existence of a second crypto key and a variable name found in
the symbol table of an OS component to which the person who has
"revealed" this alleged problem does not have source access.
Microsoft has apparently issued a statement that the second
key found in the code is a "backup" key and several uses for
such a key (such as revocation of the primary key, should it
be compromised) have been suggested.
At this point only Microsoft knows what the purpose of the
second key may be. That, in and of itself, might be a great
argument in favor of open-source operating systems, but in
the absence of further evidence it seems really dubious to
claim that Microsoft has deliberately compromised the operating
system on tens of millions of computers at the behest of the NSA.
I spent the weekend in 'Silicon Valley' and this is 'all the buzz' there. Apparently a lot of 'micro$ofty' types are rather pissed that at the same time they are cooperating with 'the government' on cryptographic issues the same 'government' is going after them for 'anti-trust' violations - thus perhaps the 'forgetting' to 'strip' the code prior to release was somewhat less than accidental at some low level. (Surely the Micro$oft top level management wouldn't be so shrewd as to 'play hardball' with 'the government'?) Interesting story, but we are too busy hashing over 6 year old Waco Wacko stuff to pay attention.
There was a New York Times article that quoted some Microsoft spokesperson as saying that the second key was in case a big natural disaster strikes Microsoft's buildings, and Microsoft loses the ability to document its own software. Hmm... ever heard of off-site backups? For that matter, if I'm understanding the press coverage of this correctly, it sounds like it's being disputed who the back door is for, rather than whether it is a backdoor. Is this correct? If so, what is the legitimate purpose for having a back door into the encryption stuff in the first place?
So the NSA can 'get in' silly. And why does Micro$oft feel it needs to 'get in' to any OS it sells in the first place? So Micro$oft has the ability to read all 'crypted' traffic of its users? There is a legitimate need for that? Is that what they are saying? So Micro$oft can read all 'secure' traffic of its users if it feels the 'need' to? Wow. All I can say is, Wow. This is 'science fiction' novel type stuff, who woulda thunk it was real world kinda thingy. Neato-keen.
http://www.wired.com/news/print_version/technology/story/21577.html?wnpg=al l According to that article, Microsoft is claiming that the key is only there as certification of compliance with NSA export regulations and such.
So, the NSA can read your mail? Don't your trust them? They are your government after all, if you can't trust them, then who can you trust? You can trust your government. Yep, Just like the 80 or so DEAD at the WACO Wacko compound could, to murder them. But you are not a Waco Wacko. OK, fine. You are not a Wacko. You are a student at a major midwest university, and your date gets a bit odd, and you step out of the car with your cellphone where you call your momma to ask for help and 'boom' you are shot dead. Ooops. So sorry, you are dead. But innocent people have nothing to fear and should welcome 'big brother'. Oh, sure. Ok. no problemo by me. I am innocent, I know nothing....
I suspect that they put this in so that they could remotely disable the software. The way I understand it from reading InfoWorld, the states are soon to pass laws governing software licenses that allow software companies to disable programs if the software is being used in some non-licensed way. I think that's more likely to affect people than any BigBrother monitoring.
re #8: Wow! You've certainly convinced ME!! I AM a student at a major midwestern university (though I don't have a cell phone) and had *no idea* how dangerous it was to use Microsoft products. From now on I'll JUST SAY NO!
Re: 3 - thefederal government mandated that all phone hardware be built with hooks to allow vastly expanded wiretappign capabilities, and you think that it's so far fetched that they'd do something similar with Microsoft Windows?
Linked to the cyberpunk conference. Check out our discussions of the social implications of our networked digital present (and future).
re #11: the FBI's lobbying efforts for wiretap capabilities, as odious as they may be, were hardly secret -- in fact great portions of the technology sector lobbied strongly against them. while it's certainly not impossible that the second key that has been revealed really *is* a backdoor for intelligence and law-enforcement agencies, I believe that there are other, more likely, explanations. I certainly think that it's irresponsible to be making confident-sounding pronouncements based on a convoluted chain of assumptions built upon the name of *one* variable in unknown code. The difference between our positions is due to the fact that when I apply Occam's Razor to this situation, Microsoft incompetence and/or design shortcuts seem to be the likeliest answers -- crypto systems are complicated to get right and Microsoft's been known to bungle things before. It's also possible that the key is one belonging to Microsoft but added at the behest of the Commerce Department, as some reports have suggested. On the other hand, when you apply Occam's Razor to this (or apparently any other) situation, a government conspiracy is the most likely cause. Either viewpoint could be correct, but with the evidence currently availble, pretending we know what's going on is just stupid.
good thing i use linux and don't have to worry about this.
re-reading #13, it occurs to me the last part's a bit unclear..
please read the start of the penultimate paragraph as:
"On the other hand, when *you* [i.e. Mike P] apply Occam's Razor.."
anyway, whatever the origin of the second key, people who're allowing
ActiveX controls to run on their computer are practically asking for
trouble, whether the control is signed by Microsoft, by the NSA, or by
whomever.. (That's what this security issue primarily affects:
controls signed with the either of the two keys are considered "safe"
because, hey, they're signed by Microsoft, and Microsoft would never
do anything bad, right?)
I recall reading that during the public comment period on the wiretapping requirement legislation backed by the FBI, they had 300 letters opposing and three in favor. And of course, it passed.
forget
I'm with McNally on this - the conclusion that this is a backdoor for the NSA is unwarranted from the evidence. But it is interesting to observe that if you are concerned about privacy, you might be better off with public software instead of private software.
Hmm... is Occam's razor that the-right-answer-is-the-simplest thing?
more like "the most likely" answer, rather than the "right" answer..
no...that's Occam's Shaving nick.
On the other hand, I could be wrong about the Microsoft/NSA link. Today
my windows machine popped up a little box saying:
This program has performed an illegal operation.
The NSA has been notified and will shut you down.
you must have run the key-replacement program. it probably changed that error text.
Or he could be joking..
Hehe.
I'm sure that NSA audited Windows security design, of course! Look at the authetication protocols for users. The LANMAN (taken from IBM) is a simple DES, easily breakable for this guys. And the usually considered secure NT-hash consists in taking the md4 hash of a null/null-terminated UNICODE string. But md4 has been officially broken by German criptologist Dobbertin in the mid 90's -there were partial attacks quite preocupant since 1991-. Well, did NSA have the crack of md4 at the time of the implementation of NT-hash? I have no doubts.
Since the other three walls are Swiss cheese strung over chicken wire, i don't think the NSA needs any heavy crypto-cracks to get into Windows' front door....though their machismo bureaucracy might have an emotioal need for such....
I agree, but md4 cryptoanalisys doesn't require heavy calculations. md4 collisions have been calculated in less than 1 hour on a standard PC, according to Dobbertin. Even if someone manages to close other backdoors, the user authentication remains flawy. I have never found other OS-password scheme susceptible of cryptanalisys (perhaps dictionary attacks, brute-force, but cryptanalisys never!!) On the other hand Microsoft programmers are incompetent enough to develop such a bogus without help of NSA. I don't know.
does anyone know where you can download the replacement cryptonym key for the nsakey? www.cryptonmy.com seems to be offline.
Response not possible - You must register and login before posting.
|
|
|
- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss