Editing NSAKEY (section)

== Microsoft's reaction ==

Microsoft denied the [[Backdoor (computing)|backdoor]] speculations on {{tt|_NSAKEY}} and said "This speculation is ironic since Microsoft has consistently opposed the various [[key escrow]] proposals suggested by the government." According to Microsoft, the key's symbol was "{{tt|_NSAKEY}}" because the NSA was the review authority for [[Export of cryptography from the United States|U.S. cryptography export controls]].<ref>{{Cite web|title=Microsoft Says Speculation About Security and NSA Is "Inaccurate and Unfounded"|url=http://www.microsoft.com/en-us/news/press/1999/sept99/rsapr.aspx|date=3 September 1999|website=News Center|publisher=[[Microsoft]]|location=Redmond, WA|url-status=dead|archive-url=https://web.archive.org/web/20121024225124/http://www.microsoft.com/en-us/news/press/1999/sept99/rsapr.aspx|archive-date=24 October 2012}}</ref><ref name="NoBackdoor"/>

Richard Purcell, Microsoft's Director of Corporate Privacy, approached Campbell after his presentation and expressed a wish to clear up the confusion and doubts about {{tt|_NSAKEY}}. Immediately after the conference, Scott Culp, of the Microsoft Security Response Center, contacted Campbell and offered to answer his questions. Their correspondence began cordially but soon became strained; Campbell apparently felt Culp was being evasive and Culp apparently felt that Campbell was hostilely repeating questions that he had already answered. On 28 April 2000, Culp stated that "we have definitely reached the end of this discussion ... [which] is rapidly spiraling into the realm of conspiracy theory".<ref>{{cite web |title=Windows NSAKEY Controversy |publisher=Rice University |url=http://www.stat.rice.edu/~dobelman/kstorm.txt}}</ref>

Microsoft claimed the third key was only in beta builds of Windows 2000 and that its purpose was for signing [[Cryptographic Service Provider]]s.<ref name="NoBackdoor">{{cite web |title=There is no "Back Door" in Windows |publisher=Microsoft |date=1999-09-07 |url=http://www.microsoft.com/technet/archive/security/news/backdoor.mspx?mfr=true |access-date=2007-01-07 |archive-url=https://web.archive.org/web/20000520001558/http://www.microsoft.com/security/bulletins/backdoor.asp |archive-date=2000-05-20}}</ref>

=== Further technical information ===

The [[Mozilla]] page on common questions on cryptography describes how Microsoft signs CSPs:
<blockquote>
It is in fact possible under certain circumstances to obtain an export license for software invoking cryptographic functions through an API. For example, Microsoft's implementation of the [[Microsoft CryptoAPI|Microsoft Cryptographic API (CryptoAPI)]] specification was approved for export from the US, even though it implements an API by which third parties, including third parties outside the US, can add separate modules ("Cryptographic Service Providers" or CSPs) implementing cryptographic functionality. This export approval was presumably made possible because a) the CryptoAPI implementation requires third party CSPs to be digitally signed by Microsoft and rejects attempts to call CSPs not so signed; b) through this signing process Microsoft can ensure compliance with the relevant US export control regulations (e.g., they presumably would not sign a CSP developed outside the US that implements strong cryptography); and c) Microsoft's CryptoAPI implementation is available only in executable form, and thus is presumed to be reasonably resistant to user tampering to disable the CSP digital signature check.<ref>{{Cite web |url=http://www.mozilla.org/crypto-faq.html |title=Mozilla Crypto FAQ |access-date=12 April 2020 |archive-url=https://web.archive.org/web/19990422142445/http://www.mozilla.org/crypto-faq.html |archive-date=22 April 1999 |url-status=live }}</ref>
</blockquote>

According to Fernandes, it is possible to replace {{code|_NSAKEY}}. When loading a cryptographic module, the {{code|crypto_verify}} function first tries using {{code|_KEY}} to verify the module, then {{code|_NSAKEY}}. Since no cryptographic modules in Windows are signed with {{code|_NSAKEY}}, it never gets used. Replacing it with a different key allows non-US companies to install their crypto services into Windows without Microsoft's or the NSA's approval.<ref name="Cryptonym" />

=== Further speculation ===

Microsoft stated that the second key is present as a backup to guard against the possibility of losing the primary secret key. Fernandes doubts this explanation, pointing out that the generally accepted way to guard against loss of a secret key is [[secret splitting]], which would divide the key into several different parts, which would then be distributed throughout senior management. He stated that this would be far more robust than using two keys; if the second key is also lost, Microsoft would need to patch or upgrade every copy of Windows in the world, as well as every cryptographic module it had ever signed.{{cn|date=March 2024|reason=No citation from Fernandes}}

On the other hand, if Microsoft failed to think about the consequences of key loss and created a first key without using secret splitting (and did so in secure hardware which doesn't allow protection to be weakened after key generation), and the NSA pointed out this problem as part of the review process, it might explain why Microsoft weakened their scheme with a second key and why the new one was called {{tt|_NSAKEY}}. (The second key might be backed up using secret splitting, so losing both keys should not be a problem.) Another possibility is that Microsoft included a second key to be able to sign cryptographic modules outside the United States, while still complying with the BIS's EAR. If cryptographic modules were to be signed in multiple locations, using multiple keys is a reasonable approach. However, no cryptographic module has ever been found to be signed by {{tt|_NSAKEY}}, and Microsoft denies that any other certification authority exists.{{cn|date=March 2024}}

[[Bruce Schneier]] believes that the above type of concern, i.e. NSA putting a key in Windows so it can load arbitrary backdoored CSPs, is unfounded. He argues that there are easier ways of backdooring Windows that do not involve using an additional key, let alone one called "NSAKEY" in debug symbols visible to the whole company: the NSA could just ask for the main key. The crypto API is also a poor point of entry, as it requires the victim to run an NSA-supplied executable.<ref>{{cite web |title=NSA Key in Microsoft Crypto API? |first=Bruce|last=Schneier |publisher=Counterpane |date=1999-09-15 |url=http://www.schneier.com/crypto-gram-9909.html#NSAKeyinMicrosoftCryptoAPI |access-date=2007-01-07}}</ref>