Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
/

Microsoft, the National Security Agency and backdoors

Jim Reavis
Network World on Security, 09/29/99

The recent debacle with the hidden key in Microsoft NT has conclusively proven a few things:

*The specter of the National Security Agency (NSA) is pretty scary to a lot of people.

*Microsoft has had so many security snafus lately that people are automatically assuming the worst when it comes to announcements of a new vulnerability or backdoor.

*The mainstream media misses the point when reporting security news.

Andrew Fernandes, chief scientist for start-up Cryptonym, created waves when he claimed that the CryptoAPI within NT contained a second key that appeared to have some connection to the NSA. Nicko van Someren and Adi Shamir actually had discussed the presence of the second key as recently as last year.

What Fernandes was able to find out the key name by debugging symbolic data: _NSAKEY. He promptly published a report linking the NSA to the key based upon name alone, claiming that this key somehow was under NSA control. It is implausible that the NSA would permit a secret key to exist with such a nonsecret name, and in any case, the NSA would have more efficient ways to subvert NT. Microsoft has had a pretty consistent track record in opposing key escrow.

Although it does not appear to be a backdoor, the reaction from the NSA and Microsoft indicates that Fernandes was not completely off the mark. The likely answer is that the second key was part of Microsoft's compliance requirements for legal export. However, how do you know for sure that your software does not contain a backdoor?

Although only moderately publicized, in 1996 IBM struck a deal with the NSA to export 64-bit security within Lotus Notes. Twenty-four bits of the Notes key was given to the NSA. Having only 40 bits to crack essentially meant the NSA had the capability to decrypt Notes. This was not the kind of information that IBM went around announcing with front-page ads and neon lights. Many companies felt burned when they learned about this information. Notes users outside the U.S. had some political battles as a result of this, needing to convince their constituencies that their data was safe from the American secret police.

Whether you feel that a government's intervention in encryption matters is helpful to national security (I do not), there is no arguing the damage to software companies within. We are now at a point in the U.S. where there are rumblings that the Clinton administration will significantly liberalize encryption policy. It is unclear as to how far the administration will go at this point. But even if this does turn out to be the long-awaited moment of victory for U.S. software companies, this latest Microsoft/NSA controversy will certainly take some of the shine off of that victory. For even if official policies free up the security industry, will the NSA seek other means of ensuring their ability to compromise software? And even if they don't, will they be believed?

The real issue that comes out of this debacle is the realization that our markets, our technology and our security stand on the foundation of the fragile human psyche. It matters less whether Microsoft has a rational explanation of the second key and its relationship with the NSA. What matters is the confidence businesses and consumers can have in their software and the assurances they can have that no backdoors are embedded within. The power of social engineering became very apparent in this year's Melissa and ExploreZip viruses. We will all suffer if paranoia over backdoors runs rampant.

What is the answer to the problem? One could rationally argue that Microsoft is a victim here - that they were accused of secretly building a backdoor into their software by a single key name. However, this industry does not play by the rule of innocent until proven guilty. In dealing with secret agencies and closely held intellectual properties, reputations can be ruined by rumor and innuendo. Will IT managers inside and outside the U.S. be able to trust U.S. software?

One possibility to ensure trust outside of government regulations would appeal to me: Open Source software. They say seeing is believing, and even if companies limited their disclosure to key cryptographic modules, it would be better than nothing at all. Another possibility is the development of software that can snoop embedded keys and digital certificates - in effect auditing closed source software for keys and signed components. The original research by van Someren and Shamir showed that the randomness of data associated with keys actually makes it relatively easy to spot them. This approach is not perfect, nor are all backdoors associated with encryption.

The issue of trust in the integrity of commercial software to be free of government tampering has proven to be a significant issue. As software is developed in more corners of the globe, and governments seek to cope with the perceived threats of an online world, consumers will need more assurances of the purity of their software. The software industry needs to step forward and solve this problem, even if it feels that it is pandering to paranoia.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

Cryptonym

Microsoft "NSA" press release

New Windows crypto backdoor reported found
Network World, 09/03/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.