[5517] in cryptography@c2.net mail archive
Re: NSA key in MSFT Crypto API
daemon@ATHENA.MIT.EDU (Eric Murray)
Fri Sep 3 22:43:45 1999
Date: Fri, 3 Sep 1999 19:06:09 -0700
From: Eric Murray <ericm@lne.com>
To: Lucky Green <shamrock@cypherpunks.to>
Cc: Tim Dierks <tim@dierks.org>, "Cryptography@C2. Net" <cryptography@c2.net>,
bugtraq@securityfocus.com
In-Reply-To: <Pine.BSF.4.10.9909040154440.32967-100000@pakastelohi.cypherpunks.to>; from Lucky Green on Sat, Sep 04, 1999 at 01:59:01AM +0200
On Sat, Sep 04, 1999 at 01:59:01AM +0200, Lucky Green wrote:
> On Fri, 3 Sep 1999, Tim Dierks wrote:
>
> > Even if the key belongs to the NSA, I suspect that the NSA just wanted to be
> > able to load classified Crypto Service Providers into Windows and didn't
> > want to have to send said classified software to Microsoft for approval, so
> > they got the key installed so they could approve software in house.
>
> Classified crypto is done in secure hardware. Any hypothetical CSP's the
> NSA needs to install on their own machines would not contain classified
> algorithms. Hence the NSA could submit them to Microsoft for signing.
I'm not a CAPI expert, but my understanding is that there is a CSP
required even for hardware crypto. A hardware CSP would send
data and keys etc as appropriate to the crypto hardware.
This is how PKCS#11 and CDSA work.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
