Editing NSAKEY (section)

=== Further technical information ===

The [[Mozilla]] page on common questions on cryptography describes how Microsoft signs CSPs:
<blockquote>
It is in fact possible under certain circumstances to obtain an export license for software invoking cryptographic functions through an API. For example, Microsoft's implementation of the [[Microsoft CryptoAPI|Microsoft Cryptographic API (CryptoAPI)]] specification was approved for export from the US, even though it implements an API by which third parties, including third parties outside the US, can add separate modules ("Cryptographic Service Providers" or CSPs) implementing cryptographic functionality. This export approval was presumably made possible because a) the CryptoAPI implementation requires third party CSPs to be digitally signed by Microsoft and rejects attempts to call CSPs not so signed; b) through this signing process Microsoft can ensure compliance with the relevant US export control regulations (e.g., they presumably would not sign a CSP developed outside the US that implements strong cryptography); and c) Microsoft's CryptoAPI implementation is available only in executable form, and thus is presumed to be reasonably resistant to user tampering to disable the CSP digital signature check.<ref>{{Cite web |url=http://www.mozilla.org/crypto-faq.html |title=Mozilla Crypto FAQ |access-date=12 April 2020 |archive-url=https://web.archive.org/web/19990422142445/http://www.mozilla.org/crypto-faq.html |archive-date=22 April 1999 |url-status=live }}</ref>
</blockquote>

According to Fernandes, it is possible to replace {{code|_NSAKEY}}. When loading a cryptographic module, the {{code|crypto_verify}} function first tries using {{code|_KEY}} to verify the module, then {{code|_NSAKEY}}. Since no cryptographic modules in Windows are signed with {{code|_NSAKEY}}, it never gets used. Replacing it with a different key allows non-US companies to install their crypto services into Windows without Microsoft's or the NSA's approval.<ref name="Cryptonym" />