--- begin forwarded text
From: "Dan S" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, "IP" <[EMAIL PROTECTED]>
Cc: "Allyson Smith" <[EMAIL PROTECTED]>
Subject: IP: Gates, Gerstner helped NSA snoop - US Congressman
Date: Wed, 12 Apr 2000 22:46:57 -0400
Sender: [EMAIL PROTECTED]
Reply-To: "Dan S" <[EMAIL PROTECTED]>
>From The Register,
http://www.theregister.co.uk/000412-000020.html
-
Posted 12/04/2000 5:56pm by Graham Lea
Gates, Gerstner helped NSA snoop - US Congressman
A recent report renews claims that the US National Security Agency (NSA)
secured the co-operation of IBM and Microsoft in gaining access to encrypted
data, and documentation seen by The Register gives a fuller picture of how
this may have taken place. In this congressman Curt Weldon makes the
astonishing claim that the US military was able to see Saddam Hussein's
orders before his commanders did.
According to Cryptography & Liberty 2000, published last week by the
Electronic Privacy Information Center (EPIC): "On September 28, 1999,
Congressman Curt Weldon disclosed that high level deal-making on access to
encrypted data had taken place between the NSA and IBM and Microsoft." The
Register has seen an unofficial transcript of a luncheon meeting on Capitol
Hill of the Internet Caucus Panel Discussion about the new encryption policy
that provides some elaboration.
Weldon is a senior member of the National Security Committee and chairman of
the Military Research and Development Subcommittee. This has oversight of a
$37 billion budget for all military R&D [much of it for the Pentagon's
computer systems], and arranged a series of classified hearings and
briefings from the NSA and CIA.
At the meeting Weldon bragged that: "In Desert Storm... my understanding is
that our commanders in the field had Saddam Hussein's commands before his
own command officers had them, because of our ability to intercept and break
the codes of Saddam's military. I want to make sure we have that capacity in
the future. I responded in a very positive way to the argument that was
being made by the CIA, the NSA and the DOD - and we took some every tough
positions." Although Desert Storm took place long before NT was available,
these remarks give further weight to arguments that the NSA is determined to
have back doors.
Weldon said that the deputy secretary of defense John Hamre had briefed him
that "in discussions with people like Bill Gates and Gerstner from IBM that
there would be... an unstated ability to get access to systems if we needed
it. ... if there is some kind of tacit understanding, I would like to know
what it is." Weldon's concern was that there was a need to document this
policy for future administrations, and he said he wondered why access to
systems couldn't be worked out formally with industry. "In fact, I called
Gerstner and I said, .Can't you IBM people and... software people get
together and find the middle ground, instead of us having to do
legislation.'"
Weldon continued: "I have advocated that we give significant new tax breaks
to the encryption and software industry in this country to give them more
incentive to stay in America and do their work here. ... I want to be
absolutely certain that in terms of our ability to deal with intelligence
overseas, to be able to have information dominance overseas, to be able to
use the kinds of tools that the CIA and Defense Department needs in
adversarial relationships that we are in fact providing..."
Depending on their bravado to fact ratio, Weldon's remarks could give
further legs to the allegation made last August by Andrew Fernandes of
Cryptonym. These are detailed in the USA section of the EPIC report's
country-by country review.
Fernandes suggested that Microsoft might have included a key for the US
National Security Agency in order to get approval for the export of NT.
His clue is in service pack 5 for NT4, where it at least looks as though
Microsoft forgot to remove information that identified the security
components. The CryptoAPI in NT has a second backup key, and it has been
suggested that this is in the possession of the NSA. Microsoft vigorously
denies this, claims that it holds both keys, and says that the second key
was a back-up for disaster-recovery purposes. This latter explanation would
be consistent in view of Microsoft's record of opposing key escrow, but
there are some additional nagging concerns.
One enigma is the name of the back-up key - _NSAKEY. Microsoft says that
"this is simply an unfortunate name" and that "the keys in question are the
ones that allow us to ensure compliance with the NSA's technical review" and
so became known at Microsoft as "the NSA keys". Fernandes makes several
observations, including the suggestion that root keys should be
symmetrically encrypted and cryptographically split to guard against loss -
as happens in tamper-resistant hardware. Fernandes also noted that Microsoft
has previously written poor software with the same weakness - in the
Authenticode framework, for example.
Fernandes also pointed out that there is a flaw in the way the crypto_verify
function is implemented, because the NSA key can be eliminated or replaced
easily. He produced a demonstration program to do this, which if used would
remove the possibility of the NSA having export control. Replacing this NSA
key would be commercially illegal, but if it is indeed a key owned by the
NSA, the legality outside the USA of what is being done is an open question.
There is a further possibility: it may be that the NSA did not in fact need
a key as it had its own module between Windows and the encryption, which
could of course specifically intercept just secure traffic.
Microsoft cast further doubt on its explanation when it told the Washington
Post that the _NSAKEY was "only a notation that conforms to technical
standards set by the NSA". The snag with this explanation is that the NSA
has no technical standards for publicly available cryptography, leaving
Microsoft's claim looking very shaky. It is known that in 1996, IBM agreed
with the NSA that in return for allowing Lotus Notes to be exported with
64-bit encryption, the NSA would get to have 24 of the bits, and so would
only have to crack 40 bits, which was within the NSA's capability at that
time. ®
--
Dan S.
**********************************************
To subscribe or unsubscribe, email:
[EMAIL PROTECTED]
with the message:
(un)subscribe ignition-point email@address
**********************************************
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
