
NSA's Backdoor Key from Lotus Notes - yuhong
http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html
======
noblethrasher
From Ray Ozzie himself in a previous discussion:

[https://news.ycombinator.com/item?id=5846189](https://news.ycombinator.com/item?id=5846189)

~~~
mentat
This is an amazing thread, just want to make sure people in this one know.

------
nailer
There was also a key marked as 'NSAKEY' in a normally encrypted part of
Windows NT that was revealed in a Service Pack. However Microsoft said it had
another purpose.

[http://en.m.wikipedia.org/wiki/NSAKEY](http://en.m.wikipedia.org/wiki/NSAKEY)

~~~
fabulist
A buddy who is an excellent reverse engineer assures me that this isn't a
conspiracy. Crypto services had to be verified by a key; the NSA's crypto
services were classified, so they couldn't let Microsoft sign them; therefore,
they needed their own key. The key is only used to authenticate crypto
services, which I think Douglas Adams would describe as Mostly Harmless.

I don't have the reverse engineering skills/IDA Pro license to verify this,
but fwiw I trust and respect this person's skills.

But lets do a thought experiment.

1\. How much would the NSA gain from pressuring Microsoft into backdooring (or
as they say, "enabling") Windows, in terms of systems they could not access
before that they can access now?

2\. How much would it cost the NSA, in terms of effort, good will, and
exposure to risk by the people at Microsoft who would know about the backdoor
and may leak or abuse it? How bad would it be if the public got wind of it?
How hard would it be to keep it secret over the years, especially as engineers
moved around to other companies? Would they have to involve foreign nationals
on the dev team? Could they be trusted not to warn their governments?

3\. How many times could they abuse their backdoor before it was obvious
Windows couldn't be trusted? When/if that happened, what would be the damage
to the US economy, and to their ability to penetrate systems?

When I put myself in the shoes of DIRNSA and ask myself these questions,
backdooring Windows (at least through official channels, like _NSAKEY
supposedly is) seems like an insane proposition.

~~~
na85
Answers from my POV:

1 - Privileged access to the dominant consumer operating system, also used by
many corporations likely to be targeted.

2 - Minimal effort cost. Good will cost seems like something NSA ignores.
Exposure to risk seems minimal given the existence of NDA contracts.

3 - I think anyone who isn't deluded and/or a member of the "nothing to hide;
nothing to fear" camp already knows you can't trust Windows. The damage to the
US economy seems minimal in light of the Snowden leaks that implicate nearly
every US-based technology company, and Microsoft is investing heavily into
things like X-box to diversify their revenue streams. I don't think there'd be
any fallout worth mentioning, tbh.

When _I_ put _myself_ into the shoes of the DIRNSA and ask myself these
questions, backdooring Windows seems like an obvious "Yes".

_NSAKEY may very well not be a backdoor, but I find the suggestion that
Windows doesn't contain one to be laughably naive.

~~~
skolor
So, serious question:

Why would they backdoor Windows, when apparently they could just buy an
exploit for $X00k[1]? Its seems buying an exploit serves all those same
factors, at a similar price range, while making it much harder to point a
finger at the NSA when it eventually gets discovered.

Its probably a safe assumption that if someone is found using a backdoor in
Windows, its probably the US Government that put it there. If its an exploit,
its a hell of a lot harder to point that finger at anyone in particular.

[1]:
[http://www.rand.org/pubs/research_reports/RR610.html](http://www.rand.org/pubs/research_reports/RR610.html)

~~~
philtar
You talk like they're different things. This is something the Chinese do.
Leave the backdoor as a vulnerability. Sure other people may find it, but that
means they have access to it from the git-go (on another note, this should be
how you initialize repos in git)

That way when someone finds it, they could go "oops. thanks for pointing this
vulnerability out for us. Will fix"

~~~
skolor
That gives you the worst of both worlds, though. You get the major
developmental downside of a backdoor - making sure no one in the development
pipeline finds and removes it - while still having to do the non-trivial work
of actually exploiting the bug. Admittedly I don't have real experience with
the 0-day black market, but the internet tells me I can just show up with
$200k and buy a Chrome/Windows/iOS 0-day, if I know the right people. I find
it hard to believe its actually cheaper or even easier to backdoor software
than it is to just buy the exploits.

------
macmac
While US export control based on crypto have been changed, they still do exist
[http://en.wikipedia.org/wiki/Export_of_cryptography_from_the...](http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status)

~~~
rtpg
this is the source of e.g. Skype's installer requiring you to acknowledge you
are not in Iran, NK, or Syria (that list might have changed recently)

------
yuhong
Notice they used only 760 bit RSA and it only has to be factored once. Then
you can brute force the remaining 40-bit keyspace with GPUs.

~~~
lstyls
I don't know much about crypto. This is bad I assume?

~~~
wolf550e
RSA-768 has been factored by academics in 2009[0].

It has long been speculated that NSA can factor 1024bit RSA (or DHE) using
custom hardware, which is why in protocols like TLS and SSH the current
recommendation is for keys, certificates and Diffie Hellman key exchange to be
at least as strong as RSA-2048 (e.g. 256 bit elliptic curve crypto is strong
enough).

0 -
[https://en.wikipedia.org/wiki/RSA_numbers#RSA-768](https://en.wikipedia.org/wiki/RSA_numbers#RSA-768)

~~~
userbinator
If I got the maths right, due to the exponential relationship a 760-bit key
should on average take roughly 1/256th of the time a 768-bit key takes to
factor.

~~~
pbsd
No, that is not how factorization scales. The time difference between a 760
and 768-bit modulus is less than a factor of 2.

