[117597] in Cypherpunks

home help back first fref pref prev next nref lref last post

RE: NSA key in MSFT Crypto API

daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Mon Sep 6 20:19:42 1999

From: "Phillip Hallam-Baker" <hallam@ai.mit.edu>
To: "William H. Geiger III" <whgiii@openpgp.net>
Cc: <dcsb@ai.mit.edu>,
        "\"cypherpunks@Algebra. COM\"" <cypherpunks@Algebra.COM>,
        "\"Cryptography@C2. Net\"" <cryptography@c2.net>,
        <bugtraq@securityfocus.com>
Date: Mon, 6 Sep 1999 19:48:18 -0400
Message-ID: <NDBBJIKJCLIJGNPNDOCKKEAECAAA.hallam@ai.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <199909041634.MAA25367@domains.invweb.net>
Reply-To: "Phillip Hallam-Baker" <hallam@ai.mit.edu>


>Again lets stress "If as MSFT claim" they have yet to provide any proof
>one way or the other as to what is going on. I wouldn't believe the M$
>spin doctors any more than I believe Bill Clinton didn't inhale.

Actually MSFT has pretty much ignored this. They know that the paranoids
of the net are going to do what they are going to do regardless.

Given that MSFT and the Administration are in the middle of a rather
nasty lawsuit and that the administration has made it very plain that 
1) they don't like MSFT's providing strong crypto and 2) said nasty
lawsuit is the sort of thing to expect if you do something the DoJ
dislikes, particularly if you have been stingy with campaign contributions,
given those well known public facts I can't think of a much less likely 
conspiracy theory. 

Certainly I like rather more facts at my disposal than a single variable
name before concocting a conspiracy theory, particularly one that appears
congruent to those bizare claims made by certain KGB defectors that the
rift between the USSR and China was a ruse to confuse the West.


>No, the relevant fact is regardless of what M$ is doning or not doing with
>these keys their software is insecure. It hardly matters to the end user,
>who's security has been compromised, wether the flaw was a malicious act
>or just plain incompetence. 

Says who? No other O/S has anything remotely like the CSP load mechanism.

It is true that an expert can configure UNIX to be very secure and that
WinNT is simply to big to apply the 'stripped down server' methodology
to it. But to confuse what an expert can do with the security of the
O/S is simply absurd.

The fact is that NT is the only current commercial O/S that was designed
with any sort of coherent security model.

Conspiracy theorists should note that the UNIX security guy went off to
the NSA where he was technical director.


>>The 128 bit patch is already circulating freely in Europe. The
>>significant fact of the second key is that it means that European
>>software vendors can distribute it with product - as US companies such as
>>Quicken do today.

>What 128 bit patch? All I have seen is a patch to replace the NSAKEY with
>a different key.

If you don't know that there is a 128 bit patch you don't know much about
WinNT security, or the CSPs you have been shooting off about. The 128 bit
patch causes an export copy of Windows to become 128 bit functional. That
is the 'hole' you have been dennouncing as evil incarnate.


>>Another interesting legal avenue would be for MSFT to request export
>>permission for the 128 bit patch then when it is refused take it to the
>>courts. The ITAR act quite clearly excludes technology which is freely
>>available outside the US. There would be a direct correspondence between
>>a European 128 bit patch and a US 128 bit patch. A victory on summary
>>judgement could well be possible.

>LOL!!! I think you need to re-read the export regulations. Not only is the
>above false there is explicit restrictions against the re-export of
>cryptology.

The ITAR were authorized by an act of congress, 'the ITAR act'.

I know all about the regulations themselves. The point I am making is 
that the regulations made under the act are the administration wishful
thinking. The act itself is much more restrictive. The administration 
has been acting beyond the scope of the act for years. The point
is that it is becomming difficult even for the US federal courts
to deny the fact.


		Phill


home help back first fref pref prev next nref lref last post