Hacker News new | comments | show | ask | jobs | submitlogin
_NSAKEY (en.wikipedia.org)
254 points by basicplus2 5 months ago | hide | past | web | 109 comments | favorite

20 years on, and nobody has ever found anything signed with this "NSAKEY".

That means either the conspiracy theorists were right, but the NSA only used it for hyper targeted attacks, or Microsofts explanation was correct.

I doubt anyone will ever know.

AFAIK, NSAKEY was a mechanism where the NSA could install their own cipher suites on their Windows machines, without needing to know or trust Microsoft's signing key (and vice-versa.)

DoD and IC use Suite A algorithms, which are classified. So they needed NSAKEY, or a private build of Windows that would let them do what they wanted. I think all they could do maliciously with this key is install backdoored crypto suites on victims' computers, which would require Administrator access anyway.

Disclaimer: work at MS, this is well before my time, I have no inside knowledge.

They probably decided to rename the variable to something unfamiliar and legit sounding like _winsysdg or _realtek2100m

>20 years on, and nobody has ever found anything signed with this "NSAKEY".

Hm, wouldn't Microsoft make a proof by singing something publically with a private key?

In the scenario where NSA gave Microsoft a public key to include in the product Microsoft doesn't have the private key. That's the point-- NSA would want their own root-of-trust in the product.

I think that's the point the comment you are replying to made: if it was legitimately a microsoft key that just serves a different purpose, it would be trivial for microsoft to prove it by just signing a message or anything with the corresponding private key.

The fact that they haven't reinforces the argument that they don't own the private key (likely, the NSA does as the conspiracy goes)

Well I don't know if that would necessarily prove anything, since in this scenario, microsoft and the nsa are working closely enough together to modify one of their drivers. In that case, couldn't the point of contact at microsoft simply send the message to the nsa to have it signed, and then show it as proof that the key is owned by microsoft?

> it would be trivial for microsoft to prove it by just signing a message or anything with the corresponding private key.

It would also be trivial for Microsoft to call up the NSA and say "they're ON TO US and it looks bad to our customers, can you please sign this message?" That is, the test you suggest proves nothing-- you can't prove that only you hold a private key.

FISA orders only work one way.

> (likely, the NSA does as the conspiracy goes)

Pardon my pedantry but I think you meant conspiracy theory. Conspiracies happen all the time, and by itself the word doesn't imply anything far-fetched or unproven, just plotting to do harm.

At least someone's allowed to point it out.

Maybe next time I'll write a paragraph shrugs

Time for me to find another community.

Surely the NSA could just give MS the key to sign a message with and then generate a new key for themselves to replace it.

MS said: "the key ensures compliance with U.S. export laws"

"the conspiracy theorists were right, but the NSA only used it for hyper targeted attacks"

Why not both?

Because nobody has managed to demonstrate a possible attack in the past 20 years.

Everyone loves a good conspiracy. It distracts us from the real world of carelessness, incompetence, laziness, and lowpriorityness.

Yes because the NSA snooping in everyone's data turned out to be a conspiracy...

It did though, didn't it? Intelligence organisations worldwide execute their operations in total secrecy and have hidden agreements with international counterparts to share information on each others' citizens in a way that bypasses the laws and constitutions of their host nations. Secret plans that circumvent the law is pretty much the definition of conspiracy.

Just because they didn't need to 'circumvent the law' doesn't mean what they did was any less than subversive. Thanks to secret courts the law is whatever they want it to be.

Google prism, xkeyscore, TAO.

Using an intentionally built in Windows backdoor, it did, yes. Instead they relied on good ol' completely unencrypted traffic flowing across wires they had hooks in.

They weren't breaking your crypto to snoop on you though. Turns out the public information about you is enough to generate a pretty reliable profile of a person.

PRISM utilized entirely public info? Information regarding every phone call you've ever made, including time, recipient, length, and location are public?

The real world is far more complicated than simply carelessness, incompetence, laziness, and lowpriorityness.



If I was trying to hide my presence, I wouldn't name something after myself. $0.02

Maybe that was the incompetence you guys are talking about.

It was MS who named it, probably

Ah the old conspiracy conspiracy.

Plus there is so much problems, corruption, conflicts of interest in plain sight with little to no accountability that is laughable someone is going the extra mile to hide their steps.

If it looks and sounds like a duck then its probably a duck.

I can't see MS admitting to giving out a backdoor key. In any case it's irrelevant as you should always assume everything you don't have source to is compromised.

> everything you don't have source to is compromised.

Everything for which you haven't read, fully understood, and compiled from the source can be compromised. Just because there's source for something somewhere doesn't mean the binary you downloaded is secure.

Relevant... [1]

> Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus.


This has always impressed me, I'd love to peek the code and try to read it but I highly doubt I'd be proficient enough to understand it.

Make sure you've also read, understood and recompiled the compiler. And the compiler used to compile the compiler.

That reminds me of an answer on Quora where a compiler was infected and would insert white supremacy messages into the compiled program. And if you tried to recompile the compiler, it would inject its code into the new compiler[0].

[0]: http://www.quora.com/What-is-a-coders-worst-nightmare/answer...

Even then, assembly is too high level.


And then we get into hardware design...


Because open source projects like OpenSSL never have bugs sitting wide open for years. cough Heartbleed

Normally, I'd agree with you, but this seems a bit too on-the-nose for me. When people have to talk about a shady or immoral activity or put mentions of it in writing, they usually get very creative in finding an inconspicuous name for it.

As such, if this were really a backdoor, I'd expect it's identifiers to look maximally boring and no direct reference to the NSA given anywhere.

Well, I would think so as well, but we have at least some anecdata (N=1) in the other direction [0]:

> In doing this I discovered that the NSA public key had an organizational name of "MiniTruth", and a common name of "Big Brother". Specifically what I saw in my debugger late one night, which was spooky for a short moment was:

O=MiniTruth CN=Big Brother

[0]: http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html

That was specifically a key escrow-style system, so you're right there. Lotus Notes wanted to provide strong encryption abroad, in the bad old days of ITAR. they used a hybrid of an exportable-sized key (~50 bit encryption) and a stronger, backdoored key (MiniTruth.)

They were very public about it, though. It sucked they had to water down their encryption, but that was the reality until PGP challenged ITAR head-on.

This could just as easily be a programmer stretching the metaphor as far as possible, which is not exactly an uncommon practice.

I'd wager that there's a high probability that an arbitrary engineer tasked with implementing things like this either doesn't care or is antagonistic, thereby calling the duck a duck.

Also, the name was never supposed to be known - it was due to early releases mistakenly having debug symbols included.

Conspiracy theories tend to hinge on the idea that the conspirators are simultaneously 5-dimensional chess playing lizard people from the future and, at the end of the day, dumb as a rock.

Coincidence theories tend to hinge on the idea that everyone is incompetent and that nobody could ever collude together in secret for any sort of malicious or self interested purpose.

They hinge on the idea that the greater the value of T or N, the less likely a conspiracy will remain a secret, where T is time and N is the number of conspirators. N is usually the dominate factor.

I think there are many obvious weaknesses to this line of logic. There is some merit there, but it oversimplifies the subject in the extreme.

What if it is a case of malicious compliance like Lotus Notes' backdoor someone else already has mentioned (the classic O=MiniTruth CN=Big Brother)?

Nadella has just said that he would support a "don't-call-it-a-backdoor" backdoor key for the U.S. (and I assume other) government(s):


Also, there are at least several other instances that make Microsoft highly suspicious in regards to this stuff, starting with:

- how they bought Skype not long after the NSA was promising billions of dollars (in government contracts most likely) to the company that would bypass Skype's encryption somehow

- changing Skype's architecture to be intercept-able

- Skype entering the PRISM program the moment Microsoft bought it

- some other suspicious "bugs" and design choices in regards to how Bitlocker works, including storing the encryption keys on its servers or defaulting to break-able OEM encryption. Plus the fact that you never do hear about law enforcement being thwarted by laptop encryption

- silently adding root certificates in Windows with no official documentation, some for some oppressive regimes, other for the U.S. government

- Not to mention that the first thought that came to my mind after hearing about all the hidden tracking stuff built into Windows 10 was that Windows 10 must have been designed based on a FBI/NSA wishlist.

If you've ever done anything "wrong" on your Windows 10 machine, the U.S. government will know about it, because Microsoft will know about it. At least Microsoft revealed to us that half of the government's orders to the company were secret and came with gag orders -- too bad they never really fought the government on it and ended-up supporting it with the Cloud Act.

There are probably others I missed myself or forgot about. Nadella must think of us all as idiots if he thinks we'll buy the idea that a specially-made encryption key for various governments doesn't equal a backdoor.

Where do you believe MS is storing all this tracking data you believe they are taking from every Windows 10 machine on the planet?

Doesn't this conspiracy theory stretch belief a great deal?

The NSA has built absolutely fuck off massive datacenters in multiple places in the United States. The parent is suggesting the telemetry from Windows 10 is mostly getting passed off to the NSA

That's a nice conspiracy theory, but that doesn't make it any less absurd.

Props for at least knowing the difference between a conspiracy and a conspiracy theory, though, unlike half of the internet.

^Willful ignorance.

Sorry, but if you've been reading, there's just no other explanation.

Even if this _NSAKEY thing is not to do with an actual NSA backdoor(s) into Windows, does anyone here really believe the NSA hasn't leveraged their position to suggest Microsoft (and others) give them ways to access things (or else)? If not it suggests that through software defects they have complete access anyway?

Look at Snowden’s leaks and RDRAND.

Nothing in the Snowden leaks suggests that RDRAND is backdoored.

Nothing in the Snowden leaks PROVES the RDRAND was backdoored.

Bullrun [0] definitely suggests it..

[0] https://en.wikipedia.org/wiki/Bullrun_(decryption_program)

He's probably thinking of either Dual EC DRBG, or the HTTP header they came up with to leak enough data from it to compromise it.

This is sort of circular, or tautological: “I believe in it because it’s so believable “

FWIW, I am rather skeptic. And I even have reasons: if the NSA has the power to coerce, Apple wouldn’t repeatedly gotten into fights with the US government to unlock iPhones.

Cooperating with the NSA is also clearly not in the companies’ interests. If (when) it comes out, they’d be at risk to lose a lot of business in other countries.

In any case, my usual argument about cynicism applies: spreading such theories becomes self-fulfilling, because why should MS work for the NSA/every politician take bribes/every cook spit in your food, if that’s what the people believe anyway, no matter what you actually do?

Microsoft is listed as a provider in the NSA's Prism program in Powerpoint slides released in the Snowden leak. In fact, the timeline indicates that they were the first on board.


No, they give data for specific accounts being wiretapped to the FBI. The FBI is a participant in the PRISM program.

In the case of the FBI claiming they needed Apple's help to retrieve encrypted data from an iPhone, it's reasonable to suspect that it was simply a ploy to pressure Apple into making concessions in the face of public pressure. A third party firm was quick to assist the FBI, but I doubt the technique used to bypass Apple's security on the iPhone was entirely novel. I would guess the firm was surprised the government didn't have enough resources to overcome the obstacle themselves long before anyone else. The San Bernardino shooting was a low stakes case of terrorism that may have been classified as a normal workplace shooting, and the FBI didn't have to make haste nor use all of the tools at their disposal. At the same time, the FBI's request to Apple can be considered legitimate after some hand waving because most of the FBI was probably told that it was technically impossible to crack into an iPhone because the necessary tool is classified and kept in reserve.

Also, I don't think any number of people believing to any extent that a corporation may have been compromised removes an important incentive for that corporation to maintain its integrity. For a security-conscious company, reputation and trust don't go that far so it would be safer to assume that Apple can be or has been compromised maybe even without their knowledge. That company would have to look after its own security and use custom protocols / devices. If it was forced to trust Apple, it would have to find an ingenious way to ensure that was not at all in the interest of Apple to betray them.

> if the NSA has the power to coerce, Apple wouldn’t repeatedly gotten into fights with the US government to unlock iPhones

The FBI is not the NSA.

>if the NSA has the power to coerce, Apple wouldn’t repeatedly gotten into fights with the US government to unlock iPhones.

The fights that we know about can be nothing more than a marketing stunt. They were what Apple wanted public to know; when leaks happen that Apple doesn't want public to know, Apple's "commitment to privacy" rather pales. Apple was listed as a PRISM data provider, they were accused in using their employee's message data against them. Now they also admit to looking into iCloud photos.

I'm making an educated guess rather than saying it's 100% true. As others have stated from the PRISM leaks and so on it's not like these companies are not already complicit in supplying data.

"Microsoft said that the key's symbol was '_NSAKEY' because the NSA is the technical review authority for U.S. crypography export controls, and the key ensures compliance with U.S. export laws"

Occam's Razor.

I'm trying to understand what it means - does it mean your code have to have a symbol called `_NSAKEY`? Or how does it affect compliance?

The entire signing system, of which these keys were part, was required to comply with US export controls.

In that case, why was it the backup key that was named after the NSA, and not the key that was actually used for this purpose in practice?

Have you never given your code variables tongue-in-cheek names?

Sure, but Microsoft didn't argue that it was tongue-in-cheek.

Occam's Glomar

This was Bruce Schneier's take on it at the time:


As he pointed out, Back Orifice didn't need a special key.

I remember that part of the Windows 2000 source code leaked years ago.

I'm presuming people looked at it for dubious keys.

One thing to remember is the fear that surrounded the export of cryptographic technology from the US and ITAR and all the rest of it at the time. And then there was the whole key escrow fiasco with Lotus Notes.

So just be careful viewing the incident from 2020 with the purported benefit of decades of hindsight.

Disclaimer: I’m the guy who first found it and announced it at the rump session of the Crypto conference in Santa Barbara that year...

It's only fitting that for recurring posts we have recurring comments.

Oh wow, there's an `nsagate` subdomain on `apple.com`! https://www.robtex.com/dns-lookup/nsagate.apple.com

Could be a nameserver.

Yes, it was just irony on how these things keep getting reposted.

Well, it does seem remarkable that you never hear the DOJ or Attorney General complaining loudly about how MSFT refused to decrypt something for them.

Does it have anything to do with today's Windows update and this cryptic rumbling ahead of time?


We will soon see what this Windows update is about - but I seriously doubt that there exists any relationship.

If you mean the relationship between NSA and the vulnerability, then no, there actually is: it was NSA who discovered the vulnerability and it has not been used in the wild (according to NSA themselves; source: https://twitter.com/briankrebs/status/1217082363391377408)

"we lost the backdoor key and its in the wild" constitutes the NSA "discovering" and "informing" MS.

This seems like a pretty easy conspiracy theory to prove with a debugger. Nobody has ever been able to do so!

How so? I don't think there's a controversy around the semantics of this key. What is not known is who has the private key and what they sign with it.

>Microsoft claimed the third key was only in beta builds of Windows 2000 and that its purpose was for signing Cryptographic Service Providers.

So it’s not controversial that this was utterly unexploitable without pre-existing local access?

Nobody has ever described how this purported backdoor would be used.

That's a seperate key, which doesn't seem to have an interesting name, not _NSAKEY:

> In addition, Dr. Nicko van Someren found a third key in Windows 2000, which he doubted had a legitimate purpose, and declared that "It looks more fishy".



"Van Someren has published numerous papers in the field of computer security. In 1998 he co-authored a paper[13] with Adi Shamir introducing the concept of key finding attacks. A statistical key finding attack was used by van Someren to locate the signature verification keys used by Microsoft to validate the signatures on MS-CAPI plug-ins. One of these key was later discovered to be referred to as the NSAKEY by Microsoft, sparking some controversy.[14]"



"The Microsoft Windows platform specific Cryptographic Application Programming Interface (also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that provides an abstraction layer which isolates programmers from the code used to encrypt the data."

===End Excerpt===

Observation: MS-CAPI -- would seem to be, prima facie, similar to Linux's OpenSSL...

I'm not entirely sure what your point is here, but the fact of the matter remains that the key that is being referred to in ryanlol's quote is not _NSAKEY.

How do you mean? The presence of a public key doesn't tell us what has been encrypted with it or if the private key has been shared with anyone. How will a debugger tell us any of that?

But if it's really the key to a backdoor, it has to be used somewhere in the code. E.g., some part of Windows had to check something signed with the key or encrypt something with it.

Windows used _NSAKEY (and another key) to check that Cryptographic Service Providers are signed. Otherwise it wouldn't allow them to be used. This was explained in the article.

Ah, apologies. I didn't catch that part.

Although, this still fails to explain the mechanism via which such Cryptographic Service Provider would land on your computer (assuming this is still supposed to be a backdoor).

Do you know how this NSAKEY backdoor is supposed to work? I don’t, nor does anyone else apparently. This should not be a difficult question to answer.

Is it not by creating whatever software you want and signing it as Microsoft software. You could essentially replace core windows components and the OS would run them without warning.

Hijack Windows Update on the infrastructure level and you're good to go, basically.

All it takes is compromising the ISP, the DNS provider or the local network admin.

As far as I understand you’re the first person to claim that windows update uses this key.

Do you have any evidence to back up this claim?

It was for crypto specifically, to enforce export controls.

That’s a pretty fucking terrible backdoor if it assumes that you already have local access.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact