The chief scientist of a Canadian cryptography and security firm has identified a backdoor into Microsoft's cryptography system. Andrew Fernandes charges that the cryptography may be intended to grant access to data on any Windows user's system to the U.S. National Security Agency.
Fernandes of Cryptonym in Mississauga, Ontario, has investigated Microsoft's "CryptoAPI" architecture for security flaws. He found that in WindowsNT4's Service Pack 5, the company neglected to remove annotations identifying the security components. Apparently there are two keys used by Windows, one of which belongs to Microsoft and allows the secure loading of encryption services. However, the second was annotated in the code with the letters NSA. Fernandes' investigation was building on the work of encryption experts Nicko van Someren and Adi Shamir, Cryptomyn says.
The holder of the second key, if it is indeed the NSA (the acronym by which the National Security Agency is often referred), could easily load unauthorized security services on any copy of Microsoft Windows, according to Cryptonym.
Microsoft's Windows operating systems provide encryption to Windows applications via the Microsoft CryptoAPI, which allows these applications to take advantage of the security provided by cryptography services from various independent software vendors, explains Austin Hill, president of privacy software firm Zero-Knowledge Systems. Only Microsoft, through the single key that was originally thought to exist, could certify cryptography toolkits.
"Microsoft's security architecture is a 'trust-me' solution," Hill says.
"I would plead with Microsoft to start taking security and privacy of their consumers seriously," Hill says. "That means open security systems reviewed by peers and experts. They can't continue with 'trust me' when clearly they haven't earned that trust."
Cryptonym's statement maintained that there is a flaw in the way the cryptography verification occurs, which means that users can eliminate or replace the NSA key without modifying Microsoft's original components. A program demonstrating this can be found on Cryptonym's Web site.
Fernandes could not be reached in person for further comment.
Microsoft could not be reached for comment.
RELATED LINKS
