[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MSoft crypto API's



On Tue, 9 Jul 1996, George Kuzmowycz wrote:

>   The June 10, 1996 Network World carried a story on page 8 under the 
> title "Microsoft breaks crypto barrier", which starts off as follows:
> 
>   " Microsoft Corp. last week said it will include cryptography-based 
> security technology in its operating systems, messaging product and 
> Web browser through a new set of APIs that will be available both in 
> the U.S. and overseas.
> 
>  " The fact that the National Security Agency is allowing Microsoft 
> to export the cryptographic APIs is somewhat of a coup for the 
> software vendor, although the NSA did nothing to alter the current 
> export ban on strong encryption."
> 
>   Later on, it says:
> 
> "  Microsoft's Crypto APIs will be available to third-party vendors
> writing applications with embedded security. But the hardware or
> software Crypto-engines for these applications will need to be
> digitally signed by Microsoft before they will work with the APIs.
> Under an unusual arrangement with the NSA, Microsoft will act as a
> front man for the powerful U.S. spy agency, checking on whether the
> vendors' products comply with U.S. export rules."
> 
>   I was a bit surprised not to see any discussion of this here. Is it 
> just old news? Or maybe people here don't read Network World?
> 
>   I didn't paste in the whole article for copyright reasons. Since 
> they seem to be on a one-month lag with posting back articles on 
> their Web site, it just this week became available at 
> www.nwfusion.com. 
> 
>   An MS/NSA alliance?
> 
>         -gk-
> 


More details are available from MS' web pages at:
http://www.microsoft.com/win32dev/apiext/capi4.htm
and:
http://www.microsoft.com/intdev/security/cryptapi.htm

I understand that NSA may have accepted the arrangement because only
signed CSP's will be loaded under the CAPI, and MS will only sign them in
Redmond. So, strong CSP modules developed outside the US will not be useable
there because, once gone to Redmond, won't be re-exportable. On the other
hand, I suspect that writing a binary-compatible CAPI emulator shouldn't
be that difficult. That would allow to use the same CAPI-compliant 
applications anywhere in the world, running over different 
implementations of the crypto engine.

The interesting part is that the basic, but crippled, CSP (PROV_RSA_FULL) 
will be supplied for free by MS:

--http://www.microsoft.com/win32dev/apiext/capi4.htm -- 8< -----------
[...]
Microsoft licensed cryptographic technology from RSA Data Security to 
create the base or default software CSP that ships with the operating
system. The Microsoft RSA Base provider consists of a software 
implementation PROV_RSA_FULL provider type (see accompanying table of
provider types). This CSP supports both public-key and symmetric (or 
"conventional") cryptography. It is exportable and will ship everywhere
that the CryptoAPI is present.
[...]
------------------------------------------------------- 8< -----------

That should free the developers of secure application from the need of 
buying licences from RSADSI, at least for export-grade functionality.

Enzo