Computer Security Weekly, September 13, 1999
The base facts appear to be these. Microsoft has a cryptographic API that allows developers to produce a product, have it signed by Microsoft, and then have it accepted as a valid security program by versions of Windows. There is one primary key embedded in the Windows program. At the request of the US NSA (National Security Agency), there is a backup key, held in a file called NSAKEY.
Rampant and unproven speculation has it that the NSA supplied the NSAKEY, and that the NSA can use it to spy on computers, or to send out trojan programs that would be accepted by Windows.
The official response is that the backup key is generated and held by Microsoft (likely), and that it can be used as a backup if the original key is lost (unlikely). (By the way, the official page at Microsoft, while generally good, seems to demonstrate a very serious misunderstanding of cryptographic and security concepts in a couple of places.)
Security experts believe that the most likely use of the NSAKEY would be to repudiate and replace the primary key if the primary key were ever to be cracked, but this scenario also has problems.
Many security experts agree, however, that the NSAKEY can be replaced by another key from another source, and that this fact could possibly be used to attack the entire Windows security system.
http://cnn.com/TECH/computing/9909/03/wi... http://www.cryptonym.com/hottopics/msft-... http://www.cryptonym.com/hottopics/msft-... http://www.microsoft.com/security/bullet...
http://www.usatoday.com/life/cyber/tech/... http://www.rsa.com/rsalabs/html/factorin...
http://www.wired.com/news/print_version/... 21471.html?wnpg=all http://www.cs.georgetown.edu/~denning/cr... http://tbtf.com/archive/1999-08-16.html#... http://tbtf.com/archive/1999-08-23.html#...
Latest Articles