Volgens het Canadese beveiligingsbedrijf Cryptonym heeft Bill voor de NSA (National Security Agency - zal wel zoiets als de amerikaanse BVD zijn) een beveiligings achterdeurtje in Windoos gebouwd. Voor de uitgebreide press release van Cryptonym kun je hier terecht. IDG.net heeft het verhaaltje in een newsposting verpakt:
The chief scientist for a Canadian cryptography and security firm has identified a back door into Microsoft's cryptography system. He charges that it may be intended to grant access to data on any Windows user's system to the U.S. National Security Agency. Andrew Fernandes of Cryptonym has investigated Microsoft's "CryptoAPI" architecture for security flaws and has found that in Windows NT 4's Service Pack 5, the company neglected to remove annotations identifying the security components, according to a Cryptonym statement.
Apparently there are two keys used by Windows, one of which belongs to Microsoft and allows the secure loading of encryption services, but the second was annotated in the code with the letters NSA. Fernandes' investigation builds on the work of encryption experts Nicko van Someren and Adi Shamir, according to the company statement. The holder of the second key, if it is indeed the National Security Agency, could easily load unauthorized security services on any copy of Microsoft Windows, according to Cryptonym. A Microsoft spokesman called Cryptonym's report "completely false."
"The key in question is a Microsoft key; it's not held or shared with any party including the NSA," said Jim Cullinan of Microsoft. He added that Microsoft has continually opposed the U.S. government's key escrow proposal, which aimed to give the government the ability to decipher encrypted computer data. Microsoft's Windows operating systems provide encryption to Windows applications via the Microsoft CryptoAPI (application programming interface), which allows these applications to take advantage of the security provided by cryptography services from various independent software vendors, explains Austin Hill, president of privacy software firm Zero-Knowledge Systems. Only Microsoft, through the single key that was originally thought to exist, could certify cryptography toolkits.
Who Can You Trust?
"Microsoft's security architecture is a 'trust-me' solution," Hill says. "I would plead with Microsoft to start taking security and privacy of their consumers seriously," Hill says. "That means open security systems reviewed by peers and experts. They can't continue with 'trust me' when clearly they haven't earned that trust."
Cryptonym's statement maintains that there is a flaw in the way the cryptography verification occurs, which means that users can eliminate or replace the NSA key without modifying Microsoft's original components. A program demonstrating this can be found on Cryptonym's Web site. Fernandes could not immediately be reached in person.