_NSAKEY was a variable name discovered in Windows NT 4 Service Pack 5 (which had been released unstripped of its symbolic debugging data) in August 1999 by Andrew D. Fernandes of Cryptonym Corporation. That variable contained a 1024-bit public key.

Overview[edit | edit source]

Microsoft's operating systems require all cryptography suites that work with its operating systems to have a digital signature. Since only Microsoft-approved cryptography suites can be installed or used as a component of Windows it is possible to keep export copies of this operating system (and products with Windows installed) in compliance with the Export Administration Regulations (EAR), which are enforced by the US Department of Commerce Bureau of Industry and Security (BIS).

It was already known that Microsoft used two keys, a primary and a spare, either of which can create valid signatures. Microsoft had failed to remove the debugging symbols in ADVAPI.DLL, a security and encryption driver, when it released Service Pack 5 for Windows NT 4.0 and Andrew Fernandes, chief scientist with Cryptonym of Morrisville, North Carolina found the primary key stored in the variable _KEY and the second key was labeled _NSAKEY.[1] Fernandes published his discovery, touching off a flurry of speculation and conspiracy theories; such as the second key, owned by the United States National Security Agency (the NSA), could allow the intelligence agency to subvert any Windows user's security.[citation needed]

During a presentation at the Computers, Freedom and Privacy 2000 (CFP2000) conference, Duncan Campbell, Senior Research Fellow at the Electronic Privacy Information Center (EPIC), mentioned the _NSAKEY controversy as an example of an outstanding issue related to security and surveillance.[citation needed]

In addition Dr. Nicko van Someren found a third key in Windows 2000 which he doubted had a legitimate purpose, and declared that "It looks more fishy".[2]

Microsoft's reaction[edit | edit source]

Microsoft denied the speculations on _NSAKEY. "This report is inaccurate and unfounded. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party."[3] Microsoft said that the key's symbol was "_NSAKEY" because the NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws.[4]

Richard Purcell, Microsoft’s Director of Corporate Privacy, approached Campbell after his presentation and expressed a wish to clear up the confusion and doubts about _NSAKEY. Immediately after the conference, Scott Culp, of the Microsoft Security Response Center, contacted Campbell and offered to answer his questions. Their correspondence began cordially but soon became strained; Campbell apparently felt Culp was being evasive and Culp apparently felt that Campbell was hostilely repeating questions that he had already answered. On 28 April 2000, Culp stated that "we have definitely reached the end of this discussion ... [which] is rapidly spiraling into the realm of conspiracy theory"[5] and Campbell's further inquiries went unanswered.

As for the third key Microsoft claimed it was only in beta builds of Windows 2000 and that its purpose was for signing Cryptographic Service Providers.[4]

Explanations from other sources[edit | edit source]

Some in the software industry question whether the BXA's EAR has specific requirements for backup keys.[citation needed] However, none claim the legal or technical expertise necessary to authoritatively discuss that document. The following theories have been presented.

Microsoft stated that the second key is present as a backup to guard against the possibility of losing the primary secret key. Fernandes doubts this explanation, pointing out that the generally accepted way to guard against loss of a secret key is secret splitting, which would divide the key into several different parts, which would then be distributed throughout senior management.[6] He stated that this would be far more robust than using two keys; if the second key is also lost, Microsoft would need to patch or upgrade every copy of Windows in the world, as well as every cryptographic module it had ever signed.

On the other hand, if Microsoft failed to think about the consequences of key loss and created a first key without using secret splitting (and did so in secure hardware which doesn't allow protection to be weakened after key generation), and the NSA pointed out this problem as part of the review process, it might explain why Microsoft weakened their scheme with a second key and why the new one was called _NSAKEY. (The second key might be backed up using secret splitting, so losing both keys needn't be a problem.)

A second possibility is that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BXA's EAR. If cryptographic modules were to be signed in multiple locations, using multiple keys is a reasonable approach. However, no cryptographic module has ever been found to be signed by _NSAKEY and Microsoft denies that any other certification authority exists.

Microsoft denied that the NSA has access to the _NSAKEY secret key. [7]

It was possible to remove the second _NSAKEY using the following (note this was for Windows software in 1999).

There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of "strong" crypto from Windows. A demonstration program that replaces the NSA key can be found on Cryptonym's website.[8]

CAPI Signature Public Keys as PGP Keys[edit | edit source]

In September 1999, an anonymous researcher reverse-engineered both the primary key and the _NSAKEY into PGP-compatible format and published them to the key servers.[9]

Microsoft's Primary (_KEY variable) CAPI Signature Key[edit | edit source]

 Type Bits/KeyID Date User ID
 pub 1024/346B5095 1999/09/06 Microsoft's CAPI key <postmaster@microsoft.com>
 Version: 2.6.3i

Microsoft's Secondary (_NSAKEY variable, now _KEY2) CAPI Signature Key[edit | edit source]

 Type Bits/KeyID Date User ID
 pub 1024/51682D1F 1999/09/06 NSA's Microsoft CAPI key <postmaster@nsa.gov>

 Version: 2.6.3i


See also[edit | edit source]

References[edit | edit source]

  1. "Microsoft, the NSA, and You". Cryptonym. 1999-08-31. Archived from the original on 17 June 2000. http://web.archive.org/web/20000617094917/http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html. Retrieved 2007-01-07.  (Internet Archive / Wayback Machine)
  2. "How NSA access was built into Windows". Heise. 1999-01-04. http://www.heise.de/tp/r4/artikel/5/5263/1.html. Retrieved 2007-01-07. 
  3. "Microsoft Says Speculation About Security and NSA Is "Inaccurate and Unfounded"" (Press release). Microsoft Corp.. 1999-09-03. http://www.microsoft.com/presspass/press/1999/sept99/rsapr.mspx. Retrieved 2006-11-09. 
  4. 4.0 4.1 "There is no "Back Door" in Windows". Microsoft. 1999-09-07. Archived from the original on 2000-05-20. http://web.archive.org/web/20000520001558/http://www.microsoft.com/security/bulletins/backdoor.asp. Retrieved 2007-01-07. 
  5. "The Culp-Campbell correspondence (Microsoft Stonewalls _NSAkey Questions)". Cryptome. 2000-05-25. http://cryptome.org/nsakey-ms-dc.htm. Retrieved 2006-11-27. 
  6. "Analysis by Bruce Schneier". Counterpane. 1999-09-15. http://www.schneier.com/crypto-gram-9909.html#NSAKeyinMicrosoftCryptoAPI. Retrieved 2007-01-07. 
  7. "NSA key to Windows an open question". 3 September 1999. http://articles.cnn.com/1999-09-03/tech/9909_03_windows.nsa.02_1_national-security-agency-cryptography-windows-nt4?_s=PM:TECH. Retrieved 2011-11-20. 
  8. "Microsoft, the NSA, and You". Cryptonym. 1999-08-31. Archived from the original on 9 November 2000. http://web.archive.org/web/20001109204800/http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html. Retrieved 2007-01-07.  (Internet Archive / Wayback Machine)
  9. "The reverse-engineered keys". Cypherspace. 1999-09-06. http://cypherspace.org/adam/hacks/ms-nsa-key.html. Retrieved 2007-01-07. 


Community content is available under CC-BY-SA unless otherwise noted.