Microsoft® Windows is unquestionably the most widely used operating system collection. It has millions of copies installed on personal computers in homes and offices throughout the world. Some statistics cite as high as 90% of the world's computers run on one or another version of Microsoft® Windows. Many foreign mission critical governmental, defense and financial operations depend on Windows in countries around the world.
Every operating system has its vulnerabilities. A catalogue of them for most of the popular operating systems is at: http://xforce.iss.net/.
Microsoft Windows have consistently proven to be the weakest of all the known operating systems. This can be inferred by the large numbers (too numerous to list) of viruses and Trojans which have been released over last 2 years e.g. Back Orifice, Melissa, NetBus to name a few. Experts believe that there are two basic problems which results in Windows being such such a insecure operating system--one it is based on technologies which are inherently weak, two being a closed platform it does not have the benefit of being reviewed by peers; an enormous benefit an open source operating systems enjoy.
In additions to Windows inherent weaknesses, in last few months certain facts have been uncovered by independent security experts which suggest that Microsoft may have deliberately designed windows with a software key which give National Security Agency (NSA, US government spy agency) eased access to every copy of windows installed anywhere, using holes in existing networking software. This makes for a possibility of a major security compromise and giving access to US government (and others) any information stored on a Windows based computer system. It can also allow an open back door to install new or altered software, because of the compromise of Microsoft's Authenticode technology which depends upon the same software.
Debate regarding this has been raging over the Internet on different forums--specifically newsgroups related to security aspects of computer systems. To understand the risks, a person must understand just a few computer buzzwords. Because this is such a widespread problem, and so much information is already scattered across the Internet about it, this article as far more than the usual number of further information links.
Cryptography is one of most difficult aspect of computer systems to communicate to a person who is not used to going in depth on what goes on under the hood of a computer system. Simply stated, it is a a way of writing and transmitting data to keep it secret and verifiably unchanged. A simple introduction of "Cryptography" is given by Udhay Shankar: The science of secret writing.
It is the foundation of E-Commerce, and online banking. History shows us how crucial this can be. Failure to keep sensitive information secure because of compromised Crypto is one major contributing factor to the outcome of World War II, especially in Europe. The Allies had access to most of the Axis communications, because the mechanical equivalent of today's Crypto software facilities had been broken (compromised). The Nazis had a blind belief in the security of the system they were using.
Here we attempt to explain as simple as possible what this security breach is and give enough reference for the people who want to explore this issue in depth.
Important:
TheGuide recommends that for on-line mission critical computer systems,
Windows MUST not be used.
Despite the prevalence of Windows on the computers of the world, it is not the only choice. There are many competing products which can run the same equipment. An article written for and posted on TheGuide some months ago,
About Computers, The Internet, and Alternatives for Operating System by Bruce Gingery
gives many of the other options, with some explanations of how they are related to each other, and where more information is available.
There is enough evidence, as presented below, to raise a reasonable doubt about the easy access to Windows by outside agencies and that it is incumbent on businesses, governments, and individuals to step back and analyze just how much damage could occur if information on the computer were leaked to the worst possible foe, or their software was modified undetectably to perform differently, by use of this hole, either by itself, or through combination with one of the myriad of other security holes that have already been reported as bugs in Windows.
Please note: The NSAkey episode is only one of the reasons, why Wondows
cannot be relied on for mission critical applications. Security in Windows
95/98 is non-existent, and that in Windows NT is better, but still not
mission-critical. See the following URLs for more information on Windows
NT security. See:
http://www.ntbugtraq.com
http://www.tbtf.com/resource/ms-sec-exploits.html
http://www.ntsecurity.net/security/passworddll.htm
The Problem:
The discovery of a backdoor key to Windows may be one of the most "devastating news" for a millions of Windows users. It is for the first time in the history of computer security that such a gigantic breach of trust has transpired.
While on the surface this issue was made to appear as an uproar that cannot be verified really, but there is much too much of information which has been uncovered to raise serious doubts about the security of any Windows based computer system - Windows95, Windows98, Windows2000 or WindowsNT.
Whether the shifting and loss of various online resources at Microsoft's websites has been coincidence, or part of a vain attempt to control the information about this serious problem, cannot be said by anyone not in direct control of those websites.
It all began when remarkable exhibits in the Windows standard drivers used for security and encryption struck a chord in the minds of experts. Things took shape further when at Crypto 98; Nicko van Someren a British cryptography specialist found that Windows drivers when disassembled contained two keys. Further Andrew Fernandes a leading scientist for security software company Cryptonym, a Canadian software firm gave an open claim that NSA (National security Agency) may have a key that could access the core security for the windows operating systems. Andrew Fernandes also verified the recently released NT server service pack 5 and found two keys named "_KEY" and "_NSAKEY". At Crypto'99 he spoke of the secrets behind the two keys.
While the Microsoft developers did not deny the presence of the "_NSAKEY" they also did not also explain satisfactorily the purpose and anonymity of the key. They denied that it belongs to the NSA, but gave excuses for the presence of this fail over key that are difficult to believe.
Andrew Fernandes also asserted that the outcome of a the secret key
inside the Windows operating system could mean "that it is tremendously
easier for the NSA to load unauthorized security services on all copies
of Microsoft Windows, and once these security services are loaded, they
can effectively compromise your entire operating system". <URL: http://www.cryptonym.com>
The facilities protected by that key include most of the cryptographic
security of the system.
Microsoft's explanation for this other key is that he other key was a backup key meant for authentication of encrypted components in the event of failure of the first key. (This much is quite true.) Culp from Microsoft claims that "_NSAKEY" was colloquially used and is not shared with any outside party including the NSA. What he failed to explain is that this additional fail over key can be used or even replaced with another key, without any security notifications on the system of compromise. Once used or replaced, the entire hierarchy falls like a tower of blocks. ActiveX may be actually signed by someone other than the one claimed. Java applets, similarly. System libraries, Sessions with otherwise secure Internet servers, Virtual Private Networking - just about anything that has to do with security, that is varified through the CryptoAPI can no longer be trusted.
While the discussions go on -- the issue takes a different turn.
It is immaterial if Microsoft or the NSA or any other person has the
actual second key!!!
Does it matter who has the second key as long as we know that there
is a second key? And it would matter less if there were a few dozens keys
more since if the water leaks from the barrel through this one hole --
security is being compromised -- and the number of holes would just add
proportion to the risk.
Microsoft openly states that the second key is a "backup key". This
is misleading, considering that millions of customers (using Windows 95/98
and Windows NT) are now vulnerable to brute force attacks against at least
two keys, and worse, the second (and other) keys can be replaced or used
without the user's knowledge or even detection.
Why is this misleading?
The biggest problem has nothing to do with whether or not the US Government might have the actual "_NSAKEY". There are legal and illegal means that US spy agencies could gain access to the "_KEY", too. But if "_KEY" were replaced, anything that depended upon it would fail. With the second key, anything that depends on "_KEY" can continue working, and anything that fails a required check with "_KEY" is still allowed if it can be certified with whatever is currently installed in "_NSAKEY". Andrew Fernandes presented demonstration code that showed how "_NSAKEY" can be replaced with any correctly formed key, created by anyone without any signs on the system that this has been done. It doesn't matter if Microsoft even has kept a copy of the original key to fit that "_NSAKEY"!
The Microsoft "_KEY" allows resetting other keys that maybe used for personal, java or activex signatures, while a "PRIVATE KEY" is your key used to sign E-Mail, Financial Transactions, Network Logins (that use CryptoAPI), and if you are a software developer, to sign your own ActiveX, Applets, and the like. For certain functions both of these are required (example: signing) and some functions need only the first (most authoritative) key (example: for establishing it is safe to run). The "_NSAKEY" key or what Microsoft refers to as the "backup key" is the newly discovered key that must be the cause for concern.
So how is the security breached?
The software that checks the validations is protected by the "_KEY" (like a primary key that allows resetting other keys). If the "_KEY" works fine -- the problem ends there. However, if it fails to work, the "_NSAKEY" is checked!! This is hardly how a vault is supposed to work. On a bank vault with two dials BOTH must be properly set for the vault to open. Any second key with a fail over, is thus a backdoor in its truest sense. It is a hidden way to perform all the security functions. What is worse is that the "_NSAKEY" can be changed by anyone having access to the front of the vault by a mere screwdriver!!! And that screwdriver can be downloaded from the Internet.
The whole process comes about then without the user's permission or knowledge! What more could one call this but a "breach of trust"?
Crucial Difference
It is very important to note the difference between key loss and key compromise. Key loss is the loss of the private key itself, and with it, the ability for Microsoft to sign Cryptographic Service Providers. Key compromise means the loss of the confidentiality associated with the key, as would happen if someone gained a copy of the key. If the "_NSAKEY" can be used, or a replacement inserted and it is used, the effect is the same as if the Microsoft "'_KEY" has been compromised, with regard to anyone victimized by this.
In simple language when a software component is designed in such a way that it does not function like it was supposed to, and that change weakens the security, then it is called a "Trojan". Until the forced revelation by Microsoft then, the presence of "_NSAKEY" causes CryptoAPI to come under the definition of a "Trojan".
Andrew Fernandes illustrates how you can create your own CSP to replace that "_NSAKEY" of Microsoft:
<URL: http://www.cryptonym.com/hottopics/msft-nsa/ReplaceNsaKey.zip>
(He also gives an Overview of the Microsoft's CryptoAPI)
Can things get shoddier?
Well shoddier is the least they can get -- Let us see why and how?
The link below shows - CryptoAPI has NOT passed tests for "standard
functionality" according to US Government FIPS-140-1 evaluations
<URL: http://www.microsoft.com/security/tech/cryptoapi
/default.asp>
... and a copy of those standards at NIST (The National Institute of
Standards and Technology)
<URL: http://csrc.nist.gov/fips/fips1401.htm>
When asked "Could someone use these keys to weaken my security?"
Here is what Microsoft says:
<URL: http://msdn.microsoft.com/workshop/security/capi/cryptapi.asp>
"No. They would need the private half of either key pair; and as noted,
we have not shared these keys with anyone, including the NSA. Even
Microsoft could not use the keys DIRECTLY to weaken your security.
The worst thing that could be done with the keys would be to digitally
sign poorly-written CSPs, but even then, there would be no way to get the
CSPs onto your computer without your approval."
Well, let's see if that's true. Let's see if the user must approve the execution of software or a specific function from system software We saw above that the protection of the user's private key is dependent upon CryptoAPI not being compromised (above) - so we already know that if that fall-back key has been compromised the entire CryptoAPI that is responsible for protecting it is also compromised, but let's see if even THAT PART of the statement (requiring the user's permission) is true...
<URL: http://msdn.microsoft.com/workshop/security/capi/cryptapi.asp>
Microsoft Corp's Java Virtual Machine ... in Internet Explorer, Microsoft
Outlook, and the Eudora e-mail program ... An (Java) applet can exploit
the glitch and override JVM security doing such things as reading private
data or modifying and deleting files on a victim's machine.
<URL: http://www.cnn.com/TECH/computing/9910/18/microsoft.jvm.hole.idg>
The weak point is an ODBC driver in Excel97, the spreadsheet program
for Office97. A malicious hacker can create an Excel spreadsheet
that exploits the weak point in this database driver, allowing him or her
to delete files or "perform other malicious acts," according to Microsoft.
<URL: http://www.cnn.com/TECH/computing/9908/03/excelbug.idg/>
The Marine Corps official said it was not clear how the virus entered
its system.
<URL: http://www.cnn.com/TECH/computing/9910/22/marines.worm.01/>
The worm that infected computers at the Marine Corps headquarters at
the Pentagon early Friday was "ExploreZip", an especially malicious virus
that typically travels by e-mail, according to a Marine Corps spokesman.
<URL: http://www.cnn.com/TECH/computing/9910/22/virus/>
Apparently, this is the first time a virus can permeate your computer
from a simple e-mail form -- no opening of attachments are necessary to
launch it. So there's little way to protect yourself. It's
believed to work by taking advantage of a security hole in Internet Explorer
5.0. NOVEMBER 10TH 1999
<URL: http://www.msnbc.com/news/296945.asp?cp1=1>
October is the cruelest month for Microsoft and Internet Explorer 5,
complements of one Georgi Guninski, noted hacker from Bulgaria. Exposing
nor fewer than three security holes over the last 30 days, Guninski has
recently uncovered yet one more privacy flaw in IE5 If you recall the earlier
"Download Behavior" bug, which also necessitated the dismissal of Active
scripting, this all-encompassing approach leaves your browser incapable
of interacting acting with JavaScript and VBScript-centric content.
This means you'll have to add trusted sites to IE5's Trusted Sites Zone
from the security tab within your Internet Options dialog box (when this
can't be done automatically via script). ...
<URL: http://www.msnbc.com/news/326233.asp?cp1=1>
<URL: http://www.msnbc.com/news/325291.asp?cp1=1>
Microsoft has found out about another security hole in Internet Explorer
5.0. An unscrupulous webmaster could construct a page that takes
advantage of IE5's Import Export Favorites function to run malicious code
on a visitor's computer ... See Patch: http://www.microsoft.com/security/bulletins/MS99-037faq.asp
<URL: http://support.microsoft.com/servicedesks/productflashes/Internet/intfc421.htm>
[October 5, 1999] Internet Explorer 5 includes a Download Behavior
that allows Web page authors to download files for use in client-side scripts.
By design, a website should be able to download only files that reside
in its domain, this prevents client-side code from exposing files on your
computer or local intranet to the Web site. However, a server-side redirect
can be used to bypass this restriction.
The net result is that a malicious Web site operator could potential
read (but not modify or erase) filse on your computer or other computers
on your local Intranet.
This means that a substituted _NSAKEY could be verified as installed
without even using it.
<URL: http://support.microsoft.com/support/kb/articles/Q179/6/52.ASP>
In order to step out of the Java "sandbox," applets need to be packaged
in CAB files for use with Internet Explorer 4.0x (and up). ... The Microsoft
model is a static model that requires the user to trust the code up front.
<URL:http://www.securityfocus.com/new.html> IMail POP3 Buffer Overflow
... may be possible to execute arbitrary code. (NT4.0)... "InterScan Virus
Wall Long HELO Buffer Overflow Vulnerability" (NT4.0) ... IE5.0 for Win98
buffer overflow IE4.0 for Win98 buffer overflow ... Outlook/Outlook-Express
(on) Win95/98/NT/2000 MS ActiveX CAB File Execution Vulnerability ... NT
Spool's Buffer Overflow (NT4.0 through SP6) ... aVrt Mail buffer overflow
... Excel SYLK Macro... IE5 IFRAME executes code with local-file system
permissions ... MSN Setup BBS buffer overflow... hhopen OLE Control buffer
overflow ... IrfanView32 buffer overflow ...
About a dozen bugs reported in the last 30 days that could cause code
to be executed WITHOUT the permission of the logged in user.
<URL: http://www.microsoft.com/security/tech/cryptoapi/cspdev.asp>
a list is given of vendors with security-specific wares based on CryptoAPI,
hence potentially compromised if the 2nd key (or 3rd key?) is replaced.
This is a pretty impressive list, which shows that MOST of the Windows
community depends on one or more of these technologies.
"Authenticode" is the technology that is perhaps the biggest hole for
a compromised (or replaced secondary) CSP key. Here's some links
that deal with all of this. Especially see the graphic on the link
mentioned below.
Other Resources
GLOSSARIES
<URL: http://msdn.microsoft.com/
workshop/security/authcode/glossary.asp>
<URL: http://msdn.microsoft.com/
library/psdk/security/secglos_9vjt.htm>
WHAT CSP IS, AND WHAT IS SIGNED AND HOW IT IS SIGNED
<URL: http://msdn.microsoft.com/
workshop/security/authcode/signing.asp>
LIST OF PRODUCTS DEPENDING HEAVILY ON AUTHENTICODE
<URL: http://msdn.microsoft.com/
workshop/security/authcode/authenticode.asp>
oops, it's moved oops, it's been RE-moved from the new location
Whitepaper on Authenticode
(download in 1995 DOC format, zipped)
<URL: http://msdn.microsoft.com/workshop/security/authcode/authwp.asp>
Authenticode FAQ
<URL: http://msdn.microsoft.com/workshop/security/authcode/signfaq.asp>
Is Authenticode technology really secure?
While not guaranteeing bug-free code, Authenticode technology is designed
to identify the publisher of code and to assure that software has not been
tampered with before, or during the download process.
The security methods used to support this proposal rely on tested an proven technology. Authenticode is based upon specifications that have been used in the industry for some time, including PKCS#7 (encrypted key specification), PKCS#10 (certificate request formats), X.509 (certificate specification) and SHA and MD5 hash algorithms.
Authenticode with Internet Browsing
<URL: http://msdn.microsoft.com/library/backgrnd/html/msdn_codewp.htm>
Note that even Microsoft's JAVA applet signing runs through this "black
box" of CryptoAPI, also plug-ins and ActiveX controls.
Some ways that SUBTLE changes could be handled by a replacement:
<URL: http://msdn.microsoft.com/library/psdk/crypto/cryptoref_9rz5.htm>
Authenticode is recommended way to secure against viruses
<URL: http://msdn.microsoft.com/library/officedev/odeopg/deovrsecuringofficesolutions.htm>
MSIF
<URL: http://msdn.microsoft.com/library/backgrnd/html/msdn_misf.htm>
As illustrated in the architecture below, CryptoAPI is the foundation
for MISF. Higher-level protocols and services are built upon the
base-level cryptographic and certificate management functionality provided
by CryptoAPI and its associated Cryptographic Service Providers (CSPs).
Applications can then add security functionality by building on top of
MISF. This section takes a more in-depth look at the technologies that
are included in MISF, and provides links to detailed information. Appendix
A summarizes MISF technologies and their availability. See Appendix A for
a list of vital system security functionalities that are built on MSIF.
Components of CryptoAPI tools
<URL: http://msdn.microsoft.com/library/psdk/crypto/cryptotools_6k8j.htm>
as of September 28, 1999
A note that modification of the REGISTRY can also weaken CryptoAPI
<URL: http://msdn.microsoft.com/library/psdk/crypto/cryptotools_6xev.htm>
CSP use of Public/Private key pairs
<URL: http://msdn.microsoft.com/library/psdk/crypto/aboutcrypto_9ib7.htm>
<URL: http://msdn.microsoft.com/library/psdk/crypto/portalapi_3351.htm>
WinTrust use of CryptoAPI
<URL: http://msdn.microsoft.com/library/psdk/winbase/portalwin_59np.htm>
In Trust includes a function and structures used by that function to
verify trust in files, catalogs, memory blobs, signatures, or certificates.
In the case of verifying certificates, WinTrust calls the CryptoAPI trust
chain building functions, CertGetCertificateChain and CertVerifyCertificateChainPolicy.
An application can use those functions directly, and their direct use is
recommended.
Where does CryptoAPI sit (logically) - diagram(s)
<URL: http://msdn.microsoft.com/library/psdk/cryptcsp/aboutcsp_5rg7.htm>
<URL: http://msdn.microsoft.com/library/backgrnd/html/msdn_distsecserv.htm>
Image: <URL: http://msdn.microsoft.com/library/backgrnd/art/distsecserv6.gif>
Certificate-Server product
<URL: http://msdn.microsoft.com/workshop/security/client/certsvr.asp>
Certificate Server leverages the reliability and scalability features
of Microsoft Windows NT Server. It can be deployed on multiple servers
in large organizations that need the flexibility of more than one certificate
authority. Certificate Server is a multithreaded service on Windows NT
and takes full advantage of Windows NT's multiprocessor capabilities. Certificate
Server: * Runs as a Windows NT service and is tightly integrated with the
operating system.
Offers high performance, multithreaded certificate processing.
Uses CryptoAPI 2.0, which provides the flexibility to choose the level
of encryption and device (hardware device or in software).
So, from the Microsoft description, it appears that a replaced or used
"_NSAKEY" can even compromise hardware based security such as smart-cards,
and other external devices.
Internet-Information-Server Security
<URL: http://www.microsoft.com/TechNet/cdonline/iissecur.htm>
Internet Information Server was designed to provide corporate developers
with a powerful platform for designing Web-based applications. In addition
to the Internet Server API (ISAPI) and Active Server Pages for scripting
of the Web server, IIS makes the following secure technologies available
to developers:
Issuing digital certificates with Microsoft Certificate Server
CryptoAPI for cryptography
Using SSL certificates with Active Server Pages
CryptoAPI provides a rich set of high-level APIs that make it< easier
for the developer to sign, seal, encrypt, and decrypt data. Developers
will easily be able to integrate identity and authentication into their
applications, thereby securing private communications and data transfers
over intranets and the Internet. Examples of certificate services are functions
for generating requests to create certificates, functions for storing and
retrieving certificates, and functions for parsing certificates.
3rd party "Cognos Datamerchant"
<URL: http://www.cognos.com/datamerchant/tech_wp.html>
DataMerchant uses data encryption to protect data during transfer to
a consumer's computer. DataMerchant does not provide its own cryptographic
security technology; rather it leverages the security of the platform.
The encryption system supported for access by wholesale consumers via an
ODBC-compliant application is Microsoft's CryptoAPI. For retail consumers
using Web browsers, DataMerchant supports Netscape's SSL (Secure Sockets
Layer).
CryptoAPI is an operating system API from Microsoft for Windows 95
and NT. It provides data encryption. DataMerchant uses CryptoAPI to secure
private communications and data transfers over intranets, extranets, and
the Internet.
The payment information and transfers of funds are protected by CryptoAPI, SSL, or the security features of the selected third-party online billing system.
3rd party "BackupNet"
<URL: http://www.backup.net/backupnet/client_highlite.htm>
Uses CryptoAPI to support domestic and international encryption.
3rd party "E-Lock ATS"
<URL: http://www.e-lock.com/PRODUCTS/ATS/key_features.htm>
Support for Microsoft CryptoAPI allows the e-Lock ATS 2.1 to< share
keys with any other applications that use CryptoAPI. It also allows the
e-Lock ATS 2.1 access to the growing number of Cryptographic Service Providers
(CSP) that are available for CryptoAPI.
3rd party "VALTECH"
<URL: http://www.valtech-inc.com/Services.html>
SETI reported to rely on CryptoAPI
<URL: http://itu.rdg.ac.uk/misc/w3cs/00000087.htm>
Mailing list archives
<URL: http://discuss.microsoft.com/archives/cryptoapi.html>
RSA/Microsoft joint press release (1996)
<URL: http://www.microsoft.com/mscorp/presspass/press/1996/aug96/Rsapr.htm>
The agreement between Microsoft and RSA builds on the companies' existing
Internet security relationship. Microsoft currently ships RSA encryption
technology as the packaged cryptographic engine for its CryptoAPI, which
provides the foundation for the other components of the Microsoft Internet
Security Framework. Microsoft's CryptoAPI 1.0, the foundation for the Microsoft
Internet Security Framework, provides extensible, exportable, system-level
access to common cryptographic functions such as encryption, hashing and
digital signatures. Now available in the Windows NT operating system version
4.0 and shipped as part of Microsoft Internet Explorer 3.0, CryptoAPI is
currently scheduled to be delivered to OEMs as part of the Windows 95 OEM
Service Release in the third quarter of 1996. ...
Analysis and comparison with NSA guidelines
<URL: http://fmg-www.cs.ucla.edu/
classes/239_2.spring98/papers/capi19.html>
CryptoAPI was not designed for novice C programmers. Programmers<
using this CAPI will need substantial C expertise and cryptographic programming
expertise. Efforts to abstract the CryptoAPI interface into C++ or Visual
Basic objects have been demonstrated; however, they do not reduce the level
of cryptographic programming expertise required for a good implementation.
CSP developers will also need expert programmers familiar with the process
and security models of Microsoft's operating systems.
Report on US Electronic (IRS) Tax Filing System ("ir-File")
"Where do your Encryption Keys want to go today?"
<URL: http://www.cs.auckland.ac.nz/~pgut001/pubs/ird.html>
Another way to repudiate a fraudulent return is to claim that the security
mechanisms used are insecure, and that because they can be broken, someone
could have done this and filed the fraudulent return (explaining why anyone
would bother to do this isn't necessary, all you're interested in is casting
doubt on the evidence). Thanks to the reliance of ir-File on ActiveX and
Microsoft's CryptoAPI, this is fairly easy to do. Microsoft's CryptoAPI,
(which) has a number of known security flaws. The worst one of these is
a function called CryptExportKey(), which hands out your private key (that
is, your signature-generating token) to anyone who asks for it. Although
Microsoft finally fixed this in Internet Explorer (MSIE) 5, the flaw is
present in both versions of MSIE which are recommended in the ir-File documentation
(3.02 and 4.0).
"Where do your Encryption Keys want to go today?"
<URL: http://www.comnet.co.za/ken/March1998/aboutms.htm>
...a major security hole in Microsofts CryptoAPI means that many keys
which aren't stored on a disk file can be recovered without even needing
to break the encryption....
As a result of these flaws, no Microsoft internet product is capable
of protecting a users keys from hostile attack. original paper at
<URL: http://www.insecure.org/sploits/microsoft.private-key.protections.html>
WindowsCE aspects
<URL: http://www.microsoft.com/WindowsCE/EMBEDDED/RESOURCES/CRYPTO.ASP>
With its support for many different communications interfaces, the
Microsoft® Windows CE operating system enables a wide variety of mobile
information appliances. These programming interfaces can also provide
secure communications to ensure the integrity and privacy of sensitive
data. From data-link authentication using PAP, CHAP, and Microsoft CHAP,
through the Microsoft CryptoAPI, SSPI, Winsock, and the WinInet API functions,
the wide variety of support for communications security means that existing
and new applications can take advantage of standard methods for authenticating
users and encrypting data.
Note that there have been new vulnerabilities found in Windows CE password
handling:
http://www.tbtf.com/blog/1999-11-14.html#3
http://www.cegadgets.com/artsusageP.htm
http://www.counterpane.com/crypto-gram-9911.html
World Class Authority
Bruce Schneier (a world renowned expert on cryptography) really boiled
it down, although he was ONLY really talking about browsers/E-Mail software
at the time...
<URL: http://www.cotse.com/
mailing-lists/ntbugtraq/0395.html>
If a virus replaces the root Netscape certificate with a phony one, it can trick you into believing a fake certificate is valid. But that replacement certificate can't verify any real certificates, so you'll also believe that every real certificate is invalid. (Hopefully, you'll notice this.) But it works well with Microsoft's Authenticode. Microsoft had the foresight to include two root-level Authenticode certificates, presumably for if one ever gets compromised. But the software is designed to authenticate code if even one checks out. So a virus can replace the Authenticode spare certificate. Now rogue software signed with this rogue certificate verifies as valid, and real software signed by valid Microsoft-approved companies still checks out as valid.
See also his own follow-up to his own post:
<URL: http://www.cotse.com/mailing-lists/ntbugtraq/0397.html>
Who could be the casualties?
It would be rather exigent to cover all casualties, however the most
affected ones would be large organizations, governments, banks, companies,
virtual private networks, e-commerce applications, followed by everyone
using Windows on the World Wide Web, as they can not be even slightly sure
of JAVA applets, plugins and ActiveX controls.
Looking at these loopholes the use of these products would be highly lethal from the security point of view. Services like RAS, IIS, ODBC, VPN that depend on the Microsoft Cryptography API would also be no less than noxious.
SSL, S/MIME and certificates in electronic commerce on these Windows
platforms represent a vulnerability to both financial establishments and
users of the Internet Explorer browser until these defect are treated.
Conclusions
We now see an additional evidence that the recent versions of the Windows
operating systems, including Windows 95, 98, 2000, and NT are seriously
jeopardizing security.
The Microsoft CryptoAPI can in no way be labeled as trustworthy.
It is highly advisable that No Microsoft Product that uses one of these functions or libraries should be used for any sensitive purposes until such time as Microsoft corrects these problems universally.
(The third key has been included in Windows 2000 for testing in the beta versions. However, before the original release, it is hard to say what Microsoft will decide to do.)
Some security experts believe that w2k (Windows 2000) will have much
more detrimental impact than y2k will have.
Further links for Reference:
(Note: Many links may or may not work after a while)
Description / Functioning
<URL: http://support.microsoft.com/
support/kb/articles/Q171/7/59.ASP> Authenticode 2.0 distribution contents
<URL: http://www.datamation.com/
PlugIn/issues/1996/may1/HowActivex.html>
<URL: http://www.tbg.com/
samples/netsvcs/winnts.htm>
<URL: http://www.rsa.com/pressbox/html/960821.html>
<URL: http://www.microsoft.com/
PressPass/PRESS/1996/AUG96/RSAPR.HTM>
<URL: http://msdn.microsoft.com/
workshop/security/client/certsvr.asp>
<URL: http://msdn.microsoft.com/
workshop/security/capi/sslcsp2a.asp>
<URL: http://agent.microsoft.com/
windowsce/smartcard/resources/wp-ref.asp>
<URL: http://msdn.microsoft.com/
library/sdkdoc/crypto/cryptotools_39et.htm>
<URL: http://fmg-www.cs.ucla.edu/classes/239_2.spring98/papers/capi19.html#HDR7>
<URL: http://technet.microsoft.com/CDONLINE/CONTENT/COMPLETE/BOES/BO/WIN2>
<URL: http://www.microsoft.com/PressPass/PRESS/1996/SEPT96/SECDESPR.HTM>
<URL: http://www.easterngraphics.com/certs/morestuff/ms3-ca.html>
<URL: http://microsoft.com/mind/0399/win2000/win2000.htm>
<URL: http://www.cs.utah.edu/~tullmann/flux/csl-misf/slides-html/sld001.htm>
<URL: http://www.windows.com/technet/cdonline/iissecur.htm>
<URL: http://premium.microsoft.com/msdn/library/sdkdoc/crypto/apndx_b_9eib.htm>
<URL: http://msdn.microsoft.com/LIBRARY/CONF/HTML/SA634.HTM>
<URL: http://technet.microsoft.com/CDONLINE/CONTENT/COMPLETE/TECHNOL/
CRYPTAPI/CRYPTAPI.HTM>
Products with admitted dependency on it
<URL: http://sockets.com/winsock2.htm> WinSock
<URL: http://www.macbackup.com/backupnet.htm> MacBackup
<URL: http://www.procomsol.com/bckupnet.html> BackupNet
<URL: http://www.cognos.com/datamerchant/tech_wp.html> Cognos Merchant
<URL: http://www.maithean.com/news/spyrus.html> Maithean Spyrus
<URL: http://isa.uniovi.es/~sirgo/redes/winsock2.htm> WinSock2 (Español)
<URL: http://www.microsoft.com/ISN/case_studies/NetConcept.asp>
BackOffice SBS
<URL: http://www.microsoft.com/ISN/IndOutlook_Trends/comnetsvcs.asp>
Phone Company ISN/MSCS <URL: http://www.microsoft.com/ISN/market_strat/carrier.asp
<URL: http://www.microsoft.com/OpenType/developers/dsig/default.htm>
Font Files
<URL: http://support.microsoft.com/support/kb/articles/Q166/3/45.ASP>
Internet Explorer
and Windows98 Soft-Update
<URL: http://support.microsoft.com/support/kb/articles/Q197/7/13.ASP
Outlook ODK
<URL: http://www.microsoft.com/INTRANET/whpapers/secure/secure01.htm
IntraNET security (large whitepaper)
<URL: http://support.microsoft.com/support/kb/articles/Q169/6/09.asp>
Visual Basic for the Web.
<URL: http://technet.microsoft.com/cdonline/Content/Complete/Internet/Client/IE/technote
/IE40SEC.HTM> Organizational Security Management
<URL: http://support.microsoft.com/support/kb/articles/Q174/0/09.ASP
E-Mail Attachment AutoExecute protection add-on.
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windows/win2000/win2ksr
v/technote/sclogon.htm> Windows2000 SmartCard logon
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windows/WCE/technote/crypto.htm>
WindowsCE embedded in other devices
<URL: http://technet.microsoft.com/cdonline/Content/Complete/srvnetwk/bosbs/reskit/
sbs45res/part7/sbrkQ738.htm> Internet Informaton Server (and Personal
Web Server) and <URL: http://www.microsoft.com/TechNet/cdonline/iissecur.htm>
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windows/winnt/
ntwrkstn/technote/difwapi.htm>
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windows/
win2000/win2ksrv/technote/nt5efs.htm> Encrypting Filesystem and <URL:
http:
//technet.microsoft.com/cdonline/Content/Complete/windows/win2000/win2ksrv/technot
e/walkthru/efswt.htm>
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windowns/winnt/ntwrkstn/
prodfact/revguide/NTW5BTA1.htm> WindowsNT v5 (preview/beta version)
<URL: http://technet.microsoft.com/cdonline/Content/Complete/windows/win2000/win2ksrv/technote/
securcon.htm> Microsoft Management Console
<URL: http://www.microsoft.com/PressPass/press/1997/Sept97/SGCpr.htm
Online Banking and Financial Server <URL: http://www.microsoft.com/industry/finserv/>
<URL: http://www.microsoft.com/windows/ie/security/sgc.asp
More on encryption and cryptography:
<URL: http://www.microsoft.com/Windows/server/Deploy/security/scl
ogon/02-StartHere.asp>
<URL: http://msdn.microsoft.com/workshop/security/authcode/authwp.asp>
<URL: http://europe.rainbow.com/partners/microsoft.html>
<URL: http://tkt.gmd.de/cgi-bin/sit-frame/sica?link=/SICA/projects/secude.html>
<URL: http://www.escher-group.com/prod-tech-comp-ms.html>
<URL: http://www.internetnews.com/wd-news/print/0%2C
1089%2C10_52001%2C00.html>
<URL: http://www.tandem.com/iBase.asp?PAGE=iAtalla>
<URL: http://www.informationweek.com/newsflash/nf646/0902_st1.htm>
<URL: http://www.pcworld.com/news/daily/data/0398/980313161050.html>
<URL: http://info.pvt.net/bezpec4.htm#cry>
<URL: http://www.itserv.com/rideway/requirements.html>
<URL: http://www.elock.com/PRESROOM/News2.htm>
<URL: http://www.iosoftware.com/news/article011498.htm>
<URL: http://www.ankey.ru/publications/PCWeek/PCW22_96_re9.htm>
<URL: http://www.lanoptics.co.uk/virtual.htm>
<URL: http://www.ntguard.com/vpn.html>
<URL: http://channel.zdjournals.com/w95/9806/w959861.htm>
<URL: http://www.eet.com/news/96/928news/glicf.html> Hewlett Packard
see also <URL: http://www.microsoft.com/CIO/alliances/HewlettPackard_bg.htm
<URL: http://www.planetit.com/techcenters/docs/Database/Pro
duct/PIT19981201S0006/3>
<URL: http://www.persits.com/>
<URL: http://www.cetj.com/archives/9806/9806ques.shtml>
<URL: http://www.ibm.com/security/html/prallitis.html>
<URL: http://www.pcinews.com/cisco/aug/querisoft.html>
<URL: http://www.verisign.net/pr/ms_cl_auth.html>
<URL: http://www.hp.com/fsi/library/pr_versecur.html>
<URL: http://www.zdnet.com/pcweek/news/1118/18micf.html>
Repudiating authentication because of
<URL: http://www.cs.auckland.ac.nz/~pgut001/pubs/ird.html<
<URL: http://remus.prakinf.tu-ilmenau.de/ssl-users/archive21/0033.html>
<URL: http://www.magnets.com/lists/ssl-users/msg02847.html>
Potential hardware subversion
<URL: http://www.microsoft.com/security/TECH/CRYPTOAPI/CSPDEV.ASP>
Technical terms
Cryptographic Service Provider
A module which actually does encryption or decryption as a service
to CryptoAPI
What is CryptoAPI?
Software developers need to encrypt and decrypt data and validate that
code has not been modified. This can be easily done through a CryptoAPI
call. Every Microsoft Windows OS uses this CryptoAPI.
Acknowledgements:
Many people have contributed very generously to make this posting possible. The main contributor has been Mr. Bruce Gingery. Mr. Udhay Shankar made important suggestions to give a prespective to the issues addressed. Ms. P. Baldota collated most of the information.
Original Article by Dr. Raj Mehta. All rights reserved 1999