[woodman]

The demand for evidence in the wake of all the NSA leaks is laughable.[0] What does evidence of the NSAKEY being a backdoor look like to you, a provably malicious CSA shim, signed by the key, hand delivered by James Clapper?

I'll tell you what it looks like to me:

After the debug symbol is found, Microsoft gives a seemingly very stupid explanation for it[1]: "It is a backup key. Yeah, uhhhh... during the export control review - the NSA said that we had to have a backup key, so we named it after them..." After being challenged on the plausibility of their backup scheme they refuse to provide any further explanation.

Here is the funny part: Microsoft might be technically telling the truth about it being a "backup". Consider what else was going on around this period: ridiculous export controls on key-length, the clipper chip... and finally: government managed private-key escrow[2]. At that time the export regulations did not specify a backup requirement, and yet Microsoft claims otherwise. You know who else was talking a lot about backups? The Whitehouse, in its proposal for allowing the export of key-lengths above 56-bits - so long as applicants implement "key-recovery".[3] Somehow I don't think that we share the same definition of the word "backup".

Also, ECI Sentry Raven[4], have fun with that.

[0] https://assets.documentcloud.org/documents/784280/sigint-ena...

[1] https://cryptome.org/nsakey-ms-dc.htm

[2] https://web.archive.org/web/20000818204903/https://csrc.nist...

[3] https://epic.org/crypto/key_escrow/key_recovery.html

[4] https://archive.org/details/nsa-sentry-eagle-the-intercept-1...

[geofft]

Evidence of the NSAKEY being a backdoor includes some description of how the backdoor might work, backed up by a reference to the relevant Windows source code or its disassembly, both of which are easily available to researchers. What sort of backdoor is it? Does it provide remote access to Windows? Does it enable certain cryptographic modes that are disabled? Does it disable certain cryptograph modes that are enabled? Does it trigger key recovery, and if so, how?

Evidence of X does not include "X would have been done by Y, and Y did Z, and X and Z are both bad, so why wouldn't Y do X too." That is basically the definition of an ad hominem argument. Whatever else the NSA may have done, and however much it's reason to believe the NSA might have wanted to do this specific thing, it's not evidence of them doing this specific thing (and again I'm not sure what this specific thing is even supposed to be). And if anything, the lack of mention of NSAKEY in the leaks is a reason to believe that there wasn't anything there.

Evidence of X also does not include "Y refused to talk about X." That might be evidence that Y is suspicious and untrustworthy (or evidence that the person asking was a conspiracy theorist who wouldn't be satisfied by any explanation), but it's not evidence that Y actually did X.

So, that's my definition of evidence. I'll turn this around: what would evidence that NSAKEY was not a backdoor look like to you? Would anything convince you, or is your claim unfalsifiable?

[woodman]

> Evidence of the NSAKEY being a backdoor includes some description of how the backdoor might work...

It would only work one way with an API relying on a PKI with a single CA, zero transparency, and trusted keys named after spy agencies suddenly appearing out of nowhere. I'm gonna bail here, because I'm now not sure if you honestly don't know what the CAPI was in relation to the NSAKEY - or if you're trying to waste my time by getting me to explain the most basic principles of public key infrastructure.

[geofft]

Here is a basic principle of public key infrastructure: anything signed by one CA can be signed equally well by another, unless the code is designed to give one CA special permissions (like EV certs, in the HTTPS PKI).

You are wrong on the facts that there is a "single CA" - there is _KEY in addition to _NSAKEY.

So, this brings me back to the point I mentioned at the top of the thread: why didn't the NSA just demand a copy of the private key for _KEY instead of a separate key? A separate key always carried a risk, and also required a rebuild - handing over _KEY could have happened immediately. If _NSAKEY has special permissions, can you point me to where in disassembled CAPI code / leaked source these special permissions are implemented, and what they are?

Your conspiracy theory is "The NSA is evil and also stupid." This is a more complex and less likely, and less worrisome conspiracy theory than "The NSA is evil." If the only thing we have to worry about from the NSA is things bungled as badly as this alleged _NSAKEY backdoor and the actual Dual_EC_DRBG backdoor (which was noticed by cryptographers basically instantly), we have nothing to worry about. That doesn't seem like the rhetorical position you want to take.

[ryanlol]

It really feels like you’re trying to distract from the fact that you have no idea how the supposed NSAKEY backdoor works if it exists.

How would the signed payload to activate this backdoor be delivered? Where’s the code that receives it? Where’s the code that then processes that signed payload?

It’s not like this stuff is terribly hard to reverse, you’ll almost certainly be able to easily find all the symbols and probably even leaked source on various NT-related forums.