KEY GAFFE, OR KEY CONSPIRACY?

From Privacy Times, September 9, 1999

MICROSOFT DENIES SECRET ACCORD
WITH NSA, BUT DOUBTS PERSIST    

  Microsoft Corp. continues to deny that it had built a secret "back door" into its Windows operating system to enable the National Security Agency to read encrypted information.  But some experts cast doubt on the credibility of Microsoft's explanations.

            The controversy arose at the end of August when code specialist Andrew Fernandes, of a new company called Cryptonym Corp., was routinely reviewing software updates for fixing bugs

in Windows.  But while reverse-engineering "Windows NT Service Pack 5," Fernandes discovered what previously had been disguised by Microsoft:

            A second, "mystery" key that is used by an outside party to install security components without the user's authorization, was labeled "_NSAKEY."  Fernandes' posting of his findings at www.cryptonym.com, set off a worldwide debate.  (His posting also showed how to disable "_NSAKEY.")    The key exists in all recent versions of the Windows operating systems, including Windows 95, 98, 2000, and NT.

            Microsoft adamantly denied there was any backdoor, or any collusion with NSA.  The keys are only used for installing new scrambling software, said Windows NT Security Product

Manager Scott Culp.  He told Wired News that the key was added to signify that it had been submitted to NSA as part of the export control process and passed NSA encryption standards.

"It is used to ensure that we and our cryptographic partners comply with United States crypto export regulations.  We are the only ones who have access to it," Culp said.

According to the Washington Post, NSA issued a vague statement that it had no key-sharing agreement with Microsoft.  "U.S. export control regulations require that cryptographic APIs [Application Programming Interfaces] be signed.  The implementation of this requirement is left up to the company.  Specific questions about specific products should be addressed to the company," NSA said in the statement.

Some observers felt that Microsoft's and NSA's denials only fueled paranoia.  Fernandes pointed out that, contrary to Microsoft's explanation, there was no "NSA cryptographic standard."

Others said the NSA's statement didn't sound like a "denial."

John Gilmore, a co-founder of the Electronic Freedom Foundation, suspected a link.  He said that the crypto community has always wondered what exactly the deal was between NSA and Microsoft that allows the company to plug strong crypto into software that is sold worldwide.  Calling Culp's response "disingenuous but not false," Gilmore said in an e-mail to Wired News, "This key was part of the quid-pro-quo that NSA extracted to issue the export license. Let's hear what the whole quid-pro-quo was and what the key is *actually* used for."

But Russ Cooper, moderator of the NTBugtraq Windows online mailing list, dismissed the conspiracy theories as nonsense.  He said "NSAKEY" was a programming "variable" that signified nothing, and could have been chosen for a variety of reasons.  He said the lion's share of individuals overreacting to the claims are freedom fighters and privacy advocates.

"Unfortunately they have a loud voice," he told Wired.  "I don't think they are representative of the average person, the real people that populate the Net. . . .  We give away all kinds of things, every day, that sacrifice our privacy. These privacy advocates, I'd put them in the category of the Michigan Militia, the Ruby Ridge folks."