Crypto expert: Microsoft products leave door open to NSA
September 3, 1999
Web posted at: 2:06 p.m. EDT (1806 GMT)
(CNN) -- A cryptography expert says that Microsoft operating systems include a back door that allows the National Security Agency to enter systems using one of the operating system versions.
The chief scientist at an Internet security company reported the flaw at a recent conference in Santa Barbara where he discussed a "key" entrance into the cryptographic standard used in Microsoft Windows products. That includes Windows 95, Windows 98, Windows NT4 and Windows2000.
"It turns out that there are really two keys used by Windows; the first belongs to Microsoft, and it allows them to securely load (the cryptography services)," said Andrew Fernandes in a press release. Fernandes works for Cryptonym, a company based in Ontario.
The press release states "the second belongs to the NSA. That means that the NSA can also securely load (the services) on your machine, and without your authorization."
The discovery "highly suggests" that the NSA has a key it could use to enter encrypted items on anybody's Windows operating system, said Ian Goldberg, chief scientist at Zero-Knowledge Systems. Goldberg was among a few dozen people in the audience at the conference when Fernandes dropped his bomb.
The session occurred just before midnight so no one saw it coming, he said, but the audience was shocked.
"If you're trying to keep messages private, it's possible that they are not as private as you thought they were," Goldberg said.
Zero-Knowledge Systems is about to release a security product built specially to make such security flaws impossible, he said.
Microsoft was not immediately available for comment.
It is unclear why or if Microsoft cooperated with the NSA on the key to its "CryptoAPI," the standard interface to its cryptography services, Goldberg said.
More details to follow.