Microsoft Corp has dismissed as inaccurate and unfounded rumors that it provided the US National Security Agency (NSA) with a back door key to the encryption framework in its Windows operating system. The key, which was discovered by the chief cryptographer of a Canadian software firm on Friday, would enable the agency to read private e-mails and documents within all post-1995 versions of the Windows OS.
Andrew Fernandes, chief scientist at the Cryptonym Corporation in Ontario said he found the key, which gives back door access to Windows 9X, Windows NT and Windows 2000, while investigating NT4 security breaches. The company published the security hole on its web site Friday.
While dissecting release 5.0 of the service pack for NT 4, Fernandes said he discovered symbolic information about an encryption key labeled NSA key, which would enable the agency to read confidential communications in any version of the Windows OS after 1995. Fernandes said the findings prove what security specialists have long believed, namely that two types of Windows keys exist, one held by Microsoft and one by another, third party organization.
But Microsoft denied the claims. This report is inaccurate and unfounded, said spokesperson Jim Cullinan. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party.
Microsoft said the key is labeled NSA key because NSA is the technical review authority for US export controls, and the key ensures compliance with US export laws.
Cullinan added that the speculation was ironic since Microsoft has consistently opposed the various key escrow proposals suggested by the government because we don’t believe they are good for consumers, the industry or national security.
Microsoft provides encryption to Windows applications via the Microsoft CryptoAPI, which allows applications to take advantage of the security provided by cryptographic services from independent software vendors. Microsoft says it only possesses the key which certifies the encryption tool kits.
However, in a statement published on Cryptonym’s web site, Fernandes said the NSA key would enable the agency to securely load CryptoAPI services on a user’s machine without his or her authorization. The result is that it is tremendously easier for the NSA to load authorization security services on all copies of Microsoft Windows, he said, and once these security services are loaded, they can effectively compromise your entire operating system.
The publication of the security flaw on Friday fuelled a wave of speculation over the weekend. Despite Microsoft’s denial’s security experts said it would be easy for the firm to modify its software at the NSA’s request without product managers finding out.
They were also keen to point out the NSA’s history of rigging software in order to gain access to confidential data. According to an article in the UK’s Observer newspaper, in the 1970’s, the agency had de-encryption software inserted into systems sold to Swiss software manufacturer Crypto AG, to enable it to read coded diplomatic and military traffic from 130 countries. And in Lotus Corp’s products imported to Sweden, the NSA’s so-called help information trapdoor was found to have compromised
confidential mail of Swedish MPs and tax office staff.