This document is maintained by the XFILES Information Security Team. Please keep the source when reposting.
HTTP://202.96.211.193/xfiles
Microsoft installs American spies in Windows
Lately we often see reports about Hotmail being hacked and IE browser vulnerabilities everywhere. Microsoft's record in computer security is extremely poor. As users, most of us have already become used to these small loopholes. But what would you think if we discovered that in every copy of Windows sold by Microsoft, there exists a backdoor provided to the U.S. National Security Agency (
NSA—an American spy agency), so that the U.S. government can easily access your computer?
While researching the security subsystem of Windows NT 4, Andrew Fern
andes, chief scientist of Cryptonym, discovered that in Win95/98/NT4.0 and Windows 2000 there exists a backdoor provided to the U.S. National Security Agency. This backdoor indicates that the structure of Microsoft's encryption API (CryptoAPI) has a security flaw. Since the encryption API is the cornerstone of the Windows security system, any flaw would cause Windows to suffer external electronic attacks.
In CryptoAPI, we know that Windows uses an "encryption public key" to
verify the integrity of a module before using a module that uses CryptoAPI.
But in patch 5 for WindowsNT4, Microsoft made a serious "mistake" and forgot to remove the symbol information identifying security components. This enabled Andrew to discover that two keys exist in the Windows system: one belongs to Microsoft and is used to authenticate encryption API services, while the other belongs to the U.S. National Security Agency, thus also allowing it to invoke encryption A
PI services and access your machine without your permission.
The result is that the U.S. National Security Agency can very easily invoke all security services of Windows systems without authentication. Once these services are activated, they can completely control your machine. For non-U.S. users who use WindowsNT for secure data services, this is very worrying. The U.S. government is doing its best to make it difficult for other countries outside the United States to adopt "strong" encryption technology. Installing a security backdoor in the world's most popular operating system will bring us a tremendous shock.
However, there is one piece of good news in this bad news. There is also a security problem in implementing this "encryption authentication" function. After encryption authentication is activated, users can simply delete or replace the "U.S. National Security Agency" key without damaging the operating system. Since the "U.S. National Security Agency" key can be easily replaced, non-U.S. users can conveniently install a stronger encryption service in Windows without Microsoft's and the "U.S. National S
ecurity Agency's" consent. A program to replace the "National Security Agency" key can be obtained at HTPP….
Technical details
Overview of the Microsoft Encryption API
Microsoft's encryption API (CryptoAPI) allows independent software vendors (ISVs) to dynamically load encryption modules (CSPs)
:
This architecture by which Windows performs signed authentication on encryption modules allows different encryption implementations to be added to the operating system. Unless you agree to accept U.S. export licensing, Microsoft will not provide a digital signature for your encryption module. In other words, Microsoft never allows non-U.S. companies to add strong encryption services to Windows.
Fortunately, there is a security problem in the digital signature program for the "cryptographic service provider" in this diagram.
How the flaw was discovered
Using NT4 Server, patch 5 (U.S. version, 128-bit encryption version), Visual C++ 6, patch 3. The same results can be seen in Win95osr2, Win98, Win98 gold version, WinNT4 (all versions), and Windows200
0 (up to pre-release 1)
Through the debugger you can see:
Before the cryptographic service provider is loaded In the dynamic link library ADVAPI32.DLL
Address 0x77DF5530 A9 F1 CB 3F DB 97 F5 ... ... ...
Address 0x77DF55D0 90 C6 5F 68 6B 9B D4 ... ... ...
After the RC4 encryption method is used you can see
A2 17 9C 98 CA R S A 1 ... 00 01 00 01 ... (looks like an RSA key)
A0 15 9E 9A CB R S A 1 ... 00 01 00 01 ... (looks like an RSA key)
Examining the symbol table in the SP5 patch in "_CProvVerifyImage@8"
Address 0x77DF5530 marked as "_KEY"
Address 0x77DF55D0 marked as "_NSAKEY"
Why do people think this is a "spy key"?
1. This key is surprisingly named "NSA key", where "NSA" is the abbreviation for the U.S. National
Security Agency, "NSA";
2. The existence of this second key in Windows has never been publicly known;
3. What exactly is this second key used for?
4. According to Microsoft, this is a "backup" key, set up at the request of the U.S. National Security Agency.
Security issue
Solution
Replace "_KEY" with your own key
But Windows will stop working because it cannot verify its own security subsystem.
A better solution
Replace "_NSAKEY" with your own key
But Windows can continue to work because Microsoft's key is still there;
But the "National Security Agency" cannot get in because their key has already been changed;
And the user can load his own encryption module.
