Difference between revisions 123927149 and 123927151 on dewiki

< previous diff
next diff >
Benutzer:Kleiner Stampfi/NSAKEY
{{cleanup|date=December 2010}}
{{DISPLAYTITLE:_NSAKEY}}
'''_NSAKEY''' was a [[variable (computer science)|variable]] name discovered in [[Windows NT 4]] [[Windows_NT_4.0#Service_Packs|Service Pack]] 5 (which had been released unstripped of its [[Debug symbol|symbolic debugging]] data) in August 1999 by Andrew D. Fernandes of Cryptonym Corporation. That variable contained a 1024-bit [[public key]].

== Overview ==
(contracted; show full)

A second possibility is that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BXA's EAR. If cryptographic modules were to be signed in multiple locations, using multiple keys is a reasonable approach. However, no cryptographic module has ever been found to be signed by _NSAKEY and Microsoft denies that any other certification authority exists.


A third possibility is that the _NSAKEY enables the NSA or other agencies to sign their own cryptographic modules without being required to disclose those modules to Microsoft, which would allow them to create modules in-house that implement classified algorithms. Of course this capability would also enable an agency to sign modules that could be used to undermine the security of any Windows installation.{{Citation needed|date=August 2007}}

Microsoft denied that the NSA has access to the _NSAKEY secret key. <ref>{{cite web
|url=http://articles.cnn.com/1999-09-03/tech/9909_03_windows.nsa.02_1_national-security-agency-cryptography-windows-nt4?_s=PM:TECH
|title=NSA key to Windows an open question
|date=3 September 1999
|accessdate=2011-11-20
}}</ref>

The key is still present in subsequent versions of Windows, though it has been renamed "_KEY2."{{Citation needed|date=September 2011}}

It was possible to remove the second _NSAKEY using the following (note this was for Windows software in 1999).

<blockquote>There is good news among the bad, however. It turns out that there is a flaw in the way the "crypto_verify" function is implemented. Because of the way the crypto verification occurs, users can easily eliminate or replace the NSA key from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US companies are free to install "strong" crypto services into Windows, without Microsoft's or the NSA's approval. Thus the NSA has effectively removed export control of "strong" crypto from Windows. A demonstration program that replaces the NSA key can be found on Cryptonym's website.<ref>{{cite web |title=Microsoft, the NSA, and You |publisher=Cryptonym |date=1999-08-31 |url=http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html  |accessdate=2007-01-07 |archiveurl = http://web.archive.org/web/20001109204800/http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html |archivedate = 9 November 2000}} ([[Internet Archive]] / [[Internet Archive#Wayback Machine|Wayback Machine]])</ref> </blockquote>

_NSAKEY ,_KEY2 or other _CTkeys  can be eliminated by using Linux or other [[Free and open source software|free OS]].

== CAPI Signature Public Keys as PGP Keys ==
In September 1999, an anonymous researcher reverse-engineered both the
primary key and the _NSAKEY into PGP-compatible format and published them
to the [[key server (cryptographic)|key server]]s.<ref>{{cite web |title=The reverse-engineered keys |publisher=Cypherspace |date=1999-09-06 |url=http://cypherspace.org/adam/hacks/ms-nsa-key.html |accessdate=2007-01-07}}</ref>

=== Microsoft's Primary (_KEY variable) CAPI Signature Key ===
<pre>
(contracted; show full)[[Category:Microsoft criticisms and controversies]]
[[Category:History of cryptography]]
[[Category:Conspiracy theories]]
[[Category:National Security Agency]]
[[Category:Microsoft Windows security technology]]

[[fr:NSAKEY]]
[[ru:NSAKEY]]