http://cryptome.org/nsakey-ms-dc.htm describes Microsoft's version of
the events that led it to put a secondary key into the system and
call it NSA_KEY.
It appears that in the process of technical review of their CryptoAPI,
they were advised of the need to have a second key for signing crypto
plug-ins. Anyone who has participated in getting certification of crypto
software is familiar with the back-and-forth nature of this process.
It is normal for the reviewers to ask for changes or give advice about
improvements.
Microsoft is vague about the details. They tend to gloss over it,
saying that they submitted a design and ultimately it was approved.
The closest they come is saying "(The name reflects the fact that the
key is present in the design to satisfy the NSA technical review per US
cryptographic export regulations)."
The purpose of the NSA_KEY was so that if the main key were lost,
Microsoft would still have the ability to sign new crypto service provider
modules, certainly an important requirement. When asked why Microsoft
did not simply make a backup of the main key, they respond:
The longer answer is that CryptoAPI was designed under a fairly tight
schedule in 1993. We could not create multiple copies of the same key,
because the private portion of the key was generated on and lodged
in a hardware device. In order to make a second copy of the key, we
would have needed to completely replicate the hardware device -- but
this is a difficult and time-consuming process and our ship schedule
made this infeasible. On the other hand, it is quite easy to simply
create a second key on a completely different hardware device. This
is what we chose to do, and it is no better or worse security than
replicating a single key to multiple locations.
This seems reasonable. Keeping such a sensitive key on a secure hardware
device is standard advice. However it does mean that it can be very
difficult to back the key up. Those devices are designed to keep the
key from being extracted; that is one of the main reasons to use them.
They generate the key on-board and it never leaves the card.
So to have a backup signature capability the most straightforward approach
is to use a second secure device to create a second key.
Putting all these pieces together, what results is a plausible picture for
how the process went. Microsoft submitted a design; the NSA reviewers
pointed out that they'd be screwed if they lost their CSP signing key;
Microsoft, pressed by time-to-market considerations, took the quickest
possible fix, which was to just add a second key.
The only problem with this scenario is that Microsoft will not admit that
it occured. They seem to want to skip over the part where their design
gets updated based on the review. This may be public relations, fears
that if they admit to making any changes whatsoever at the request of
the NSA it will only inflame their critics more. Or it may be corporate
pride, not wanting to admit that their own design was imperfect.
Ironically, this is the one part of the process which is essentially
certain to have happened. Reviewers must justify their own jobs, and
they can always find some nits to pick or places to request changes.
As Heinlein put it, "after the editor pees in a story he likes the taste
better and he buys it." We can be confident that the NSA, in reviewing
Microsoft's design, would have required changes for approval.
