MS denies giving American NSA key

The latest crypto alert: Microsoft may be in league with the US' National Security Agency.
Written by Lisa M. Bowman, Contributor

Microsoft is denying claims by a Canadian security company that it has installed a second key in its Windows programs in order to give the US government access to users' computers.

Instead, it said it's only following the rules imposed by the US to allow software exports.

Andrew Fernandes, the chief scientist of Cryptonym, had claimed that a second key in several versions of the company's Windows operating system contains coding using the letters "NSA", which he said indicated that Microsoft may be providing a key for the National Security Agency.

But Microsoft said it's not, and calls the incident a "tempest in a teapot".

Instead, Windows NT security product manager Scott Culp said the company was merely complying with federal rules imposed by the US Commerce Department and NSA to meet export control requirements. Culp said the keys have been used for years to verify the digital signatures of partner companies using its crypto application programming interface (API), and to verify that they're export approved. "They're in there because that's how we comply with export controls that the NSA is overseeing," he said.

But he acknowledges the term "NSA" key could arouse suspicion. "It's a really bad name," he said. "I think we're going to rename it after today." The keys are in every copy of Windows 95, 98, NT4 and 2000. The owner of such keys could potentially infiltrate software by using them to go through a so-called "back door" in the software. Because the US government limits the export of strong encryption software, some software makers provide such keys to the government. But Microsoft said it's doing no such thing. "It's totally against our corporate policy," Culp said.

The NSA faxed a statement deferring specific questions to Microsoft.

Fernandes started his work last year, after two software developers discovered the presence of a second key, but said they didn't know why it was created. Fernandes piggy-backed on that research to learn more about the second key.

The good news, Fernandes said, is that companies can use a security flaw in the NSA key to add their own strong encryption, in effect overriding the key. More information is at the Cryptonym site. However, even Fernandes said he didn't know for sure if the NSA coding in Windows really refers to the government agency. "I'm in the security business, and the security business is the business of paranoia," he said.

Security consultant Richard Smith, president of Phar Lap Software, said the discovery was a minor one. "As in most cases, where there's smoke there's usually fire," he said. "But in my opinion this isn't a very big fire."

Fernandes' claim came just two weeks after news began circulating that the US Department of Justice was asking for special legislation that would let them spy on computers without a warrant or the user's knowledge.

Editorial standards