Archive of UserLand's first discussion group, started October 5, 1998.

Re: NSA Key in Microsoft OS Security?

Author:Dennis Peterson
Posted:9/3/1999; 12:43:16 PM
Topic:NSA Key in Microsoft OS Security?
Msg #:10538 (In response to 10535)
Prev/Next:10537 / 10539

It's on Wired too. Apparently this is a public key used to authenticate software components in the CryptoAPI. If the NSA has the private key (and there is no way to know, we can only trust what Microsoft says), it doesn't let them break in directly, but it may allow the NSA to replace your crypto components with weakened versions, by means of a trojan horse, without you detecting it.

The stated purpose of the key is export control. If a component is not authenticated by Microsoft, it won't run. This allows Microsoft to enforce export controls and stay out of trouble. An interesting aspect of this story is that the company who uncovered this also provided code to replace this authentication key. If you can do that, you can plug whatever strong crypto components you want into the CryptoAPI.

There are responses to this message:

This page was archived on 6/13/2001; 4:52:24 PM.

© Copyright 1998-2001 UserLand Software, Inc.