A backdoor into Microsoft's cryptography system has been identified by the chief scientist of a Canadian cryptography and security company, who charges that it may be intended to grant access to data on any Windows user's system to the US National Security Agency.
Andrew Fernandes of Cryptonym, in Ontario, has investigated Microsoft's "CryptoAPI" architecture for security flaws and found that in Windows NT4's Service Pack 5, the company neglected to remove annotations identifying the security components, according to a Cryptonym statement.
Apparently there are two keys used by Windows, one of which belongs to Microsoft and allows the secure loading of encryption services, but the second was annotated in the code with the letters NSA. Fernandes' investigation was building on the work of encryption experts Nicko van Someren and Adi Shamir, according to the company statement.
The holder of the second key, if it is indeed the NSA (the acronym by which the National Security Agency is often referred to), could easily load unauthorised security services on any copy of Microsoft Windows, according to Cryptonym.
Microsoft's Windows operating systems provide encryption to Windows applications via the Microsoft CryptoAPI (application programming interface), which allows these applications to take advantage of the security provided by cryptography services from various independent software vendors, explained Austin Hill, president of privacy software company Zero-Knowledge Systems. Only Microsoft, through the single key that was originally thought to exist, could certify cryptography toolkits.
"Microsoft's security architecture is a 'trust-me' solution," Hill said.
"I would plead with Microsoft to start taking the security and privacy of its consumers seriously," Hill said. "That means open security systems reviewed by peers and experts. It can't continue with 'trust me' when clearly it hasn't earned that trust."
Cryptonym's statement maintained that there is a flaw in the way the cryptography verification occurs, which means that users can eliminate or replace the NSA key without modifying Microsoft's original components. A program demonstrating this can be found on Cryptonym's Web site.
Fernandes could not immediately be reached in person.
A local Microsoft spokesperson said that Cryptonym's report was an "incorrect statement".
"The key is held by Micosoft and is not shared by any other party, including the NSA," said Tony Wilkinson, senior product manager for Windows, Microsoft Australia.
According to Wilkinson, the label attached to the code's comments mentioned NSA because "NSA is the technical review authority in the US for export control".
"We've not shared the key with the NSA, any other company or agency," Wilkinson said. "We referred to the key internally as the NSA key, because it was required for compliance with export laws."
"This does not mean it was made available to the NSA," Wilkinson stressed.