95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second research er rediscovered the access system. With it, he found the evidence linking it to NSA.

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:Windowssystem directory of your computer.

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run crypographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no one knows what these programmes are, or what they do.

Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery.

A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY".

Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge.

A third key?!

But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code.

Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.

Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors".

According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system".

The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back door in the world's most abundant operating system should send a strong message to foreign IT managers".

"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked.

Can the loophole be turned round against the snoopers?

Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI."It looks more fishy", he said.

Fernandez believes that NSA's built in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website.

According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY."

Only NSA can listen, so that's OK

Also see:

Export version of Lotus Notes provides trapdoor for NSA. http://www.heise.de/tp/english/inhalt/te/2898/1.html

Duncan Campbell

01.06.1999

Giant US software manufacturer Lotus has been lowering the profile of information about how they have installed an NSA-only trapdoor into e-mail and conference systems used by many European governments, including the German Ministry of Defence, the French Ministry of Education and Research and the Ministry of Education in Latvia.

Last week in Brussels, Lotus staged a lavish "Global Government Forum" to try and gain more government customers for its software. They succeeded in striking a new 500,000 user deal with the Russian Ministry of Higher and Professional Education for the development of a new information infrastructure for the Russian education system. Yet another conference, Lotus Eurosphere '99, will be held in Berlin in October.

Lotus claims that its systems are inherently more secure than those from its main rival, Microsoft. However, although details of how the NSA trapdoor works can still be found in some corners of the web (see [External Link] IBM Redbook, Page 80), the key technical papers and press releases which reveal how Lotus worked with NSA to build a special trapdoor into the International Edition of Lotus Notes have disappeared from the web.

Visitors to the security pages on Lotus's [External Link] website are now told that the export version of Lotus Notes uses "a system approved by the US government called "Workgroup Differential" and "encrypt(s) information using 64 bit keys".

The name "Workgroup Differential" is meaningless. The correct title is "Differential Workfactor Cryptography". The "differential workfactor" means that the US National Security Agency can break the code on Lotus Notes private messages 16 million times faster than anyone else.

How "Differential Workfactor Cryptography" works was revealed by Lotus itself three years ago. Although the documents concerned have now disappeared from the web, Telepolis has obtained copies.

In a keynote speech to the RSA Data Security Conference on 17 January 1996, Ray Ozzie, President of Lotus designers Iris Associates revealed how Lotus had come to terms with American government export controls, which prohibited the export of cryptographic systems with a key length over 40 bits.

He told them that no-one regarded this as secure:

"Our customers have lost confidence in 40-bit crypto. They told us that, if we were going to continue to market 40-bit Lotus Notes overseas, we should stop marketing it as a secure system -- that we should start to call it "data scrambling" or "data masking" instead of encryption".

Lotus's answer was a system that let NSA easily read foreign users' e-mail, while improving security against other eavesdroppers. In a paper distributed to the RSA conference, Security Project Leader Charles Kaufman explained in detail how the system worked.

When sending e-mail messages, Lotus uses a 64 bit key. But in export editions, 24 bits of the key are broadcast with the message, reducing the effective key length to 40 bits. The 24 bits are encrypted using a public key created by the NSA. This is called the Workfactor Reduction Field. Only NSA can decrypt the information in the Workfactor Reduction Field. Once the key length is reduced to 40 bits, fast modern computers can break the code in seconds or minutes.

Only Americans could think that this was an advantage for the Lotus system. In 1996, Kaufman also revealed that Notes had to be weakened even further to prevent users from simply removing the NSA backdoor from being sent along with their messages. To prevent foreign users tampering with the workfactor reduction field, the International Edition of Lotus Notes will refuse to decipher any message which does not contain the correct field. To check this means that the entire key to the message has to be transmitted in the message. The recipient's software then checks that the workfactor reduction field is present and correct. The fact that the full key is sent along with the message creates the possibility of a second backdoor, reducing further.

Since these papers were presented openly, European governments have become aware of the enormous scale of communications monitoring by the NSA, and by the [Local Link] Echelon network in particular. The loophole in Lotus Notes made front page news in Sweden in November 1997. Although the company did not deny the allegation, they claimed that the American government would not "misuse" them.

Since the row in Sweden, both Lotus and RSA have removed the 1996 papers from their web sites. Another Lotus employee claimed "we haven't weakened the security of international encryption, but actually made it equal to the US security (to everyone but the NSA). We are proud of this arrangement" (our emphasis).

Only Americans could think that this was an advantage for the Lotus system. From the European perspective, the greatest threat may be economic and political espionage by NSA. With Lotus bent on increasing its markets in Europe, there must be serious questions about whether users are being told the whole truth about security.

--------------------------------------------------------------------------------