[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) IP: Gates, Gerstner helped NSA snoop - US Congressman




------- Forwarded message follows -------
Date sent:      	Thu, 13 Apr 2000 04:41:53 -0400
To:             	cryptography@c2.net
From:           	"R. A. Hettinga" <rah@shipwright.com>
Subject:        	IP: Gates, Gerstner helped NSA snoop - US Congressman


--- begin forwarded text


From: "Dan S" <ds2000@mediaone.net>
To: <InTheShadows@onelist.com>, "IP" <ignition-point@mailbox.by.net>
Cc: "Allyson Smith" <allysons@wans.net> Subject: IP: Gates, Gerstner
helped NSA snoop - US Congressman Date: Wed, 12 Apr 2000 22:46:57
-0400 Sender: owner-ignition-point@mailbox.by.net Reply-To: "Dan S"
<ds2000@mediaone.net>

>From The Register,
http://www.theregister.co.uk/000412-000020.html
-
Posted 12/04/2000 5:56pm by Graham Lea

Gates, Gerstner helped NSA snoop - US Congressman

A recent report renews claims that the US National Security Agency
(NSA) secured the co-operation of IBM and Microsoft in gaining access
to encrypted data, and documentation seen by The Register gives a
fuller picture of how this may have taken place. In this congressman
Curt Weldon makes the astonishing claim that the US military was able
to see Saddam Hussein's orders before his commanders did.

According to Cryptography & Liberty 2000, published last week by the
Electronic Privacy Information Center (EPIC): "On September 28, 1999,
Congressman Curt Weldon disclosed that high level deal-making on
access to encrypted data had taken place between the NSA and IBM and
Microsoft." The Register has seen an unofficial transcript of a
luncheon meeting on Capitol Hill of the Internet Caucus Panel
Discussion about the new encryption policy that provides some
elaboration.

Weldon is a senior member of the National Security Committee and
chairman of the Military Research and Development Subcommittee. This
has oversight of a $37 billion budget for all military R&D [much of it
for the Pentagon's computer systems], and arranged a series of
classified hearings and briefings from the NSA and CIA.

At the meeting Weldon bragged that: "In Desert Storm... my
understanding is that our commanders in the field had Saddam Hussein's
commands before his own command officers had them, because of our
ability to intercept and break the codes of Saddam's military. I want
to make sure we have that capacity in the future. I responded in a
very positive way to the argument that was being made by the CIA, the
NSA and the DOD - and we took some every tough positions." Although
Desert Storm took place long before NT was available, these remarks
give further weight to arguments that the NSA is determined to have
back doors.

Weldon said that the deputy secretary of defense John Hamre had
briefed him that "in discussions with people like Bill Gates and
Gerstner from IBM that there would be... an unstated ability to get
access to systems if we needed it. ... if there is some kind of tacit
understanding, I would like to know what it is." Weldon's concern was
that there was a need to document this policy for future
administrations, and he said he wondered why access to systems
couldn't be worked out formally with industry. "In fact, I called
Gerstner and I said, .Can't you IBM people and... software people get
together and find the middle ground, instead of us having to do
legislation.'"

Weldon continued: "I have advocated that we give significant new tax
breaks to the encryption and software industry in this country to give
them more incentive to stay in America and do their work here. ... I
want to be absolutely certain that in terms of our ability to deal
with intelligence overseas, to be able to have information dominance
overseas, to be able to use the kinds of tools that the CIA and
Defense Department needs in adversarial relationships that we are in
fact providing..."

Depending on their bravado to fact ratio, Weldon's remarks could give
further legs to the allegation made last August by Andrew Fernandes of
Cryptonym. These are detailed in the USA section of the EPIC report's
country-by country review.

Fernandes suggested that Microsoft might have included a key for the
US National Security Agency in order to get approval for the export of
NT.

His clue is in service pack 5 for NT4, where it at least looks as
though Microsoft forgot to remove information that identified the
security components. The CryptoAPI in NT has a second backup key, and
it has been suggested that this is in the possession of the NSA.
Microsoft vigorously denies this, claims that it holds both keys, and
says that the second key was a back-up for disaster-recovery purposes.
This latter explanation would be consistent in view of Microsoft's
record of opposing key escrow, but there are some additional nagging
concerns.

One enigma is the name of the back-up key - _NSAKEY. Microsoft says
that "this is simply an unfortunate name" and that "the keys in
question are the ones that allow us to ensure compliance with the
NSA's technical review" and so became known at Microsoft as "the NSA
keys". Fernandes makes several observations, including the suggestion
that root keys should be symmetrically encrypted and cryptographically
split to guard against loss - as happens in tamper-resistant hardware.
Fernandes also noted that Microsoft has previously written poor
software with the same weakness - in the Authenticode framework, for
example.

Fernandes also pointed out that there is a flaw in the way the
crypto_verify function is implemented, because the NSA key can be
eliminated or replaced easily. He produced a demonstration program to
do this, which if used would remove the possibility of the NSA having
export control. Replacing this NSA key would be commercially illegal,
but if it is indeed a key owned by the NSA, the legality outside the
USA of what is being done is an open question. There is a further
possibility: it may be that the NSA did not in fact need a key as it
had its own module between Windows and the encryption, which could of
course specifically intercept just secure traffic.

Microsoft cast further doubt on its explanation when it told the
Washington Post that the _NSAKEY was "only a notation that conforms to
technical standards set by the NSA". The snag with this explanation is
that the NSA has no technical standards for publicly available
cryptography, leaving Microsoft's claim looking very shaky. It is
known that in 1996, IBM agreed with the NSA that in return for
allowing Lotus Notes to be exported with 64-bit encryption, the NSA
would get to have 24 of the bits, and so would only have to crack 40
bits, which was within the NSA's capability at that time. 

--
Dan S.



**********************************************
To subscribe or unsubscribe, email:
     majordomo@mailbox.by.net
with the message:
     (un)subscribe ignition-point email@address
**********************************************

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'

------- End of forwarded message -------