GAFFE, OR KEY CONSPIRACY?
Privacy Times, September 9, 1999
DENIES SECRET ACCORD
WITH NSA, BUT DOUBTS PERSIST
Microsoft Corp. continues to
deny that it had built a secret "back door" into its Windows
operating system to enable the National Security Agency to read
encrypted information. But
some experts cast doubt on the credibility of Microsoft's explanations.
controversy arose at the end of August when code specialist Andrew
Fernandes, of a new company called Cryptonym Corp., was routinely
reviewing software updates for fixing bugs
in Windows. But while reverse-engineering "Windows
NT Service Pack 5," Fernandes discovered what previously had
been disguised by Microsoft:
A second, "mystery" key that is used by an outside
party to install security components without the user's authorization,
was labeled "_NSAKEY."
Fernandes' posting of his findings at www.cryptonym.com,
set off a worldwide debate. (His
posting also showed how to disable "_NSAKEY.") The key exists in all recent versions of
the Windows operating systems, including Windows 95, 98, 2000, and
Microsoft adamantly denied there was any backdoor, or any
collusion with NSA. The
keys are only used for installing new scrambling software, said
Windows NT Security Product
Manager Scott Culp. He told Wired
News that the key was added to signify that it had been submitted
to NSA as part of the export control process and passed NSA encryption
is used to ensure that we and our cryptographic partners comply
with United States crypto export regulations.
We are the only ones who have access to it," Culp said.
to the Washington Post,
NSA issued a vague statement that it had no key-sharing agreement
with Microsoft. "U.S. export control regulations require
that cryptographic APIs [Application Programming Interfaces] be
signed. The implementation of this requirement is left
up to the company. Specific
questions about specific products should be addressed to the company,"
NSA said in the statement.
observers felt that Microsoft's and NSA's denials only fueled paranoia. Fernandes pointed out that, contrary to Microsoft's
explanation, there was no "NSA cryptographic standard."
Others said the NSA's statement
didn't sound like a "denial."
Gilmore, a co-founder of the Electronic Freedom Foundation, suspected
a link. He said that the
crypto community has always wondered what exactly the deal was between
NSA and Microsoft that allows the company to plug strong crypto
into software that is sold worldwide. Calling Culp's response "disingenuous
but not false," Gilmore said in an e-mail to Wired News, "This key was part of the quid-pro-quo that NSA extracted
to issue the export license. Let's hear what the whole quid-pro-quo
was and what the key is *actually* used for."
But Russ Cooper, moderator of the NTBugtraq
Windows online mailing list, dismissed the conspiracy theories as
nonsense. He said "NSAKEY"
was a programming "variable" that signified nothing, and
could have been chosen for a variety of reasons.
He said the lion's share of individuals overreacting to the
claims are freedom fighters and privacy advocates.
"Unfortunately they have a loud voice,"
he told Wired. "I don't think they are representative
of the average person, the real people that populate the Net. .
. . We give away all kinds of things, every day,
that sacrifice our privacy. These privacy advocates, I'd put them
in the category of the Michigan Militia, the Ruby Ridge folks."