MSoft crypto API's
The June 10, 1996 Network World carried a story on page 8 under the title "Microsoft breaks crypto barrier", which starts off as follows: " Microsoft Corp. last week said it will include cryptography-based security technology in its operating systems, messaging product and Web browser through a new set of APIs that will be available both in the U.S. and overseas. " The fact that the National Security Agency is allowing Microsoft to export the cryptographic APIs is somewhat of a coup for the software vendor, although the NSA did nothing to alter the current export ban on strong encryption." Later on, it says: " Microsoft's Crypto APIs will be available to third-party vendors writing applications with embedded security. But the hardware or software Crypto-engines for these applications will need to be digitally signed by Microsoft before they will work with the APIs. Under an unusual arrangement with the NSA, Microsoft will act as a front man for the powerful U.S. spy agency, checking on whether the vendors' products comply with U.S. export rules." I was a bit surprised not to see any discussion of this here. Is it just old news? Or maybe people here don't read Network World? I didn't paste in the whole article for copyright reasons. Since they seem to be on a one-month lag with posting back articles on their Web site, it just this week became available at www.nwfusion.com. An MS/NSA alliance? -gk-
On Tue, 9 Jul 1996, George Kuzmowycz wrote:
The June 10, 1996 Network World carried a story on page 8 under the title "Microsoft breaks crypto barrier", which starts off as follows:
" Microsoft Corp. last week said it will include cryptography-based security technology in its operating systems, messaging product and Web browser through a new set of APIs that will be available both in the U.S. and overseas.
" The fact that the National Security Agency is allowing Microsoft to export the cryptographic APIs is somewhat of a coup for the software vendor, although the NSA did nothing to alter the current export ban on strong encryption."
Later on, it says:
" Microsoft's Crypto APIs will be available to third-party vendors writing applications with embedded security. But the hardware or software Crypto-engines for these applications will need to be digitally signed by Microsoft before they will work with the APIs. Under an unusual arrangement with the NSA, Microsoft will act as a front man for the powerful U.S. spy agency, checking on whether the vendors' products comply with U.S. export rules."
I was a bit surprised not to see any discussion of this here. Is it just old news? Or maybe people here don't read Network World?
I didn't paste in the whole article for copyright reasons. Since they seem to be on a one-month lag with posting back articles on their Web site, it just this week became available at www.nwfusion.com.
An MS/NSA alliance?
-gk-
More details are available from MS' web pages at: http://www.microsoft.com/win32dev/apiext/capi4.htm and: http://www.microsoft.com/intdev/security/cryptapi.htm I understand that NSA may have accepted the arrangement because only signed CSP's will be loaded under the CAPI, and MS will only sign them in Redmond. So, strong CSP modules developed outside the US will not be useable there because, once gone to Redmond, won't be re-exportable. On the other hand, I suspect that writing a binary-compatible CAPI emulator shouldn't be that difficult. That would allow to use the same CAPI-compliant applications anywhere in the world, running over different implementations of the crypto engine. The interesting part is that the basic, but crippled, CSP (PROV_RSA_FULL) will be supplied for free by MS: --http://www.microsoft.com/win32dev/apiext/capi4.htm -- 8< ----------- [...] Microsoft licensed cryptographic technology from RSA Data Security to create the base or default software CSP that ships with the operating system. The Microsoft RSA Base provider consists of a software implementation PROV_RSA_FULL provider type (see accompanying table of provider types). This CSP supports both public-key and symmetric (or "conventional") cryptography. It is exportable and will ship everywhere that the CryptoAPI is present. [...] ------------------------------------------------------- 8< ----------- That should free the developers of secure application from the need of buying licences from RSADSI, at least for export-grade functionality. Enzo
On Tue, 9 Jul 1996, George Kuzmowycz wrote: [...]
" Microsoft's Crypto APIs will be available to third-party vendors writing applications with embedded security. But the hardware or software Crypto-engines for these applications will need to be digitally signed by Microsoft before they will work with the APIs. Under an unusual arrangement with the NSA, Microsoft will act as a front man for the powerful U.S. spy agency, checking on whether the vendors' products comply with U.S. export rules."
I was a bit surprised not to see any discussion of this here. Is it just old news? Or maybe people here don't read Network World?
[...]
An MS/NSA alliance?
-gk-
This is a very deft and sly move, if it was indeed planned, by the NSA. Clearly they have got the message. Political efforts to curtail crypto are doomed to failure. Economic strangulation is the way to go. Well here you are folks, months of bitching about how stupid the NSA must be has paid off. Not only is this clever, its insidious. 1. It's too difficult for Joe Sixpack to understand. 2. It preys on the market leader already, rather than attempting to bootstrap (as with clipper). 3. It uses as its implementation a private, rather than a public entity. Now this strikes me as something truely frightening. The NSA has become an intelligence agency which is effectively working in concert with private interests to conduct internal security operations by proxy. And what has microsoft gained? Nothing. They are still subject to export laws, they even have to kiss NSA ass more now less their little bit of largess be yanked away from them. While in past using a corporation such as E-Systems as a front and a constitutional end around was expected, this is the pre-empting of a major pre-existing entity. Does not bode well. Netscape, are you listening? You are being battered around in the press and on the market as being a flash in the pan. Yes, you got there first, but you are now giving it up to MicroSoft, or so say the writers. I was brutal and hard on you on this list for a reason before, and that was because the above was my fear. Netscape, are you listening? Now would be a good time to announce that you are not working for the NSA like some other companies. God, I wish someone in Netscape PR would wake the hell up. -- I hate lightning - finger for public key - Vote Monarchist unicorn@schloss.li
What I don't underastand about this arangement is how other people are supposed to develop crypto software under capi. I mean, how is it possible to develop a software package if you need to go get it signed by microsoft every time you want to test it? Or do US customers get versions of the OS that will crypto code without verifying the signature? Somehow I doubt that, though, because then the NSA wouldn't be getting as much out of the deal. David
participants (4)
-
Black Unicorn -
David Mazieres -
Enzo Michelangeli -
George Kuzmowycz