A backdoor into Microsoft's cryptography system has been identified by the chief scientist for a Canadian cryptography and security firm, who charges that it may be intended to grant access to data on any Windows user's system to the US National Security Agency.
Andrew Fernandes of Cryptonym in Mississauga, Ontario, has investigated Microsoft's "CryptoAPI" architecture for security flaws, and found that in WindowsNT4's Service Pack 5, the company neglected to remove annotations identifying the security components, according to a Cryptonym statement. Apparently there are two keys used by Windows, one of which belongs to Microsoft and allows the secure loading of encryption services, but the second was annotated in the code with the letters NSA. Fernandes' investigation was building on the work of encryption experts Nicko van Someren and Adi Shamir, according to the company statement.
The holder of the second key, if it is indeed the NSA (the acronym by which the National Security Agency is often referred), could easily load unauthorised security services on any copy of Microsoft Windows, according to Cryptonym.
Microsoft's Windows operating systems provide encryption to Windows applications via the Microsoft CryptoAPI (application programming interface), which allows these applications to take advantage of the security provided by cryptography services from various independent software vendors, explained Austin Hill, president of privacy software firm Zero-Knowledge Systems Inc. Only Microsoft, through the single key that was originally thought to exist, could certify cryptography toolkits.
"Microsoft's security architecture is a 'trust-me' solution," Hill said.
"I would plead with Microsoft to start taking security and privacy of their consumers seriously," Hill said. "That means open security systems reviewed by peers and experts. They can't continue with 'trust me' when clearly they haven't earned that trust."
Cryptonym's statement maintained that there is a flaw in the way the cryptography verification occurs, which means that users can eliminate or replace the NSA key without modifying Microsoft's original components. A program demonstrating this can be found on Cryptonym's website.
Fernandes could not immediately be reached in person.
A Microsoft spokesman called Cryptonym's report "completely false."
"The key in question is a Microsoft key; it's not held or shared with any party including the NSA," said Jim Cullinan of Microsoft. He added that Microsoft has continually opposed the U.S. government's key escrow proposal which aimed to give the government the ability to decipher encrypted computer data.
Cryptonym can be reached on the web at http://www.cryptonym.com, but a telephone listing could not be found in Mississauga, Ontario, where the Web site says that the company is based.
Zero-Knowledge Systems Inc. is in Montréal at +1-514-286-2636 or on the web at http://www.zeroknowledge.com.