siehe Crypto-Gram September 15, 1999:
First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.
Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.
Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.
I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly inflict weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
https://www.schneier.com/crypto-gram/archives/1999/0915.html
Und wohlgemerkt, hier geht es um eine API in NT4. Also um so etwa 18 Jahre zurĂĽckliegenden Windows-Code.
Mittlerweile steht seit vielen Jahren vielen Menschen auch außerhalb Microsofts (und sowieso auch außerhalb USA) im Rahmen der Shared Source Initiative der Windows-Quelltext zur Verfügung. Und zwar insbesondere Experten für Penetration Tests, Intrusion Detection und das Finden von Exploits. Da wäre eine offensichtliche "NSA-Backdoor" längst entdeckt worden.
Und wenn man auf der anderen Seite mitbekommt, sowohl durch mittlerweile entdeckte Schadprogramme als auch durch die Snowden-Enthüllungen, welchen enormen finanziellen und personellen Aufwand die NSA und befreundete Dienste seit Jahrzehnten betreiben, um Programme zum Infiltrieren von Windows-Rechnern oder PC_Komponenten zu entwickeln, widerlegt dies die Verschwörungstheorie einer angeblich in Windows eingebauten "NSA-Backdoor".
Das Posting wurde vom Benutzer editiert (05.07.2015 20:21).