[5580] in cryptography@c2.net mail archive
RE: NSA key in MSFT Crypto API
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Sep 13 17:56:18 1999
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net
Cc: jah@alumni.princeton.edu
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Tue, 14 Sep 1999 07:07:09 (NZST)
This topic has problably just about reached its use-by date, but I recently
saw a comment by "J. Andr<E9>s Hall" <jah@alumni.princeton.edu> on how to
cripple Microsoft's own CSP's using _NSAKEY:
>Because the person posessing the private key corresponding to _NSAKEY can now
>take a trusted, signed CSP (even Microsoft<B4>s very own Enhanced CSP!),
>cripple the random number generator used to generate keys, re-sign it and
>have Windows happily load the altered CSP after checking the new signature
>against _NSAKEY. The crippled CSP would now generate keys that could be
>easily cracked using a brute-force attack that in turn tried each of the very
>limited number of different keys that the altered CSP was able to generate.
>(This may already have been done to *your* PC via Back Orifice or NuBus.
>Scary? You bet!)
This doesn't involve installing a parallel CSP signed with _NSAKEY as per
existing discussions, but simply changing a few bytes in the original
Microsoft CSP and providing a new signature along with your own _NSAKEY. This
has been touched on indirectly, but I don't think anyone's mentioned the
ability to merely castrate Microsoft's CSP a la the Netscape RNG patch, as
opposed to loading a completely new (crippled) CSP.
Peter.
