Andrew Fernandes, chief scientist with Cryptonym, a Canadian software and consulting firm with offices in North Carolina, said he has discovered a way to replace one of the cryptographic keys used as part of Windows' security system, thus compromising it.
Fernandes said the flaw not only allows hackers to alter the OS but could also be used to strengthen Windows security in violation of U.S. export laws.
Scott Culp, product manager for Windows security, confirmed today that there are two keys, but he said the second one is there solely for backup and does not pose a security risk.
Windows uses cryptography to authenticate the validity of certain software components, such as software drivers, and to keep intruders from gaining control of key subsystems. It also ensures that any software program or component loaded onto a computer does not violate export rules. U.S. law forbids the exportation of cryptography that is stronger than 56-bits, although stronger encryption is allowed within the United States.
Fernandes said he discovered that Microsoft uses two keys, instead of one, and that software code in Windows NT Service Pack 5 identifies the second key as "NSAKEY." Microsoft would normally remove that kind of designation, said Fernandes.
Fernandes said the name indicates the second key is somehow linked to the National Security Agency, but Microsoft and at least one other security expert questioned his conclusion.
"We checked some older files going back to 1998 and found the NSA markings," said Richard Smith, president of Phar Lap Software. "NSA could be an abbreviation for anything, such as non-standard authentication."
In a faxed statement, the NSA said: "U.S. export control regulations require that cryptographic APIs [of which the key is one element] be signed. The implementation of this requirement is left up to the company." API stands for application programming interface.
Microsoft's Culp said that "as part of the crypto licensing process, CryptoAPI was reviewed by the NSA. We presented the crypto architecture to the NSA, including the backup key, and they approved that."
"We don't share the keys"
The second key has been present since the introduction of the CryptoAPI and was not requested by the NSA, said Culp. He added that Microsoft, not the NSA, wrote the key. "We don't share the keys with any public agencies."
The broader issue is Fernandes's claim he has found a way to replace the second key with one of his own, essentially breaking the integrity of Windows' security.
The keys are important because they can be used to create Cryptographic Service Providers, special code used for encryption. Microsoft typically authenticates CSPs after a software developer demonstrates that the U.S. Commerce Department has approved its software code for export.
If a hacker could write his own CSP and use it without being authenticated by Microsoft's cryptography key, he or she could make serious changes to Windows, such as strengthening security beyond 56 bits or subverting the computer and the corporate network it is attached to.
The problem for Microsoft is the second key, said Fernandes. Windows will fail to operate if the first key is replaced. But replacing the second key would not cause Windows to shut down.
"Then suppose I load my own service provider," explained Fernandes. "It will try to load that and fail, then it will try to load the second key, which is my own. I can introduce a service provider that Microsoft hasn't signed, but the whole cryptographic protection, [the] infrastructure is still in place."
Fernandes can then write software programs with his own CSPs that Windows would authenticate and install, bypassing a certain level of security. The weakness affects Windows 95, 98, NT, and 2000, he said.
Culp did not deny someone could replace the second key, but dismissed the significance. "If he wants to run his own crypto program under Windows NT, there is a far simpler way to do it--write a higher level software program.
"No, it does not compromise the security," Culp said.
Security experts could not readily verify Fernandes's claims, because they did not have access to his source code. However, Ian Goldberg, chief scientist with Zero-Knowledge Systems, said he had reviewed Fernandes's work and agreed that the second key exists and Fernandes can replace it.
"Whoever put it there, it is a back door," said Goldberg, "Whoever owns that key has the ability to create CSPs." In addition, "There are three keys in Windows 2000, and no one knows who that [third] one belongs to."
"There is a third key in Windows 2000, but that is just for testing," said Culp of Microsoft. "We don't want to use a live production key for testing CSPs, because when all our testing is done, we want them to go away."
Culp said the third key would not be included in the shipping version of Windows 2000.