The Guide






About Raj

Security Issues with MS Windows

The Problem
Why is this Misleading?
So How is security breached?
Can Things get shoddier?
Other Resources
Analysis and comparsion with NSA guidlines
World Class Authority
Further links for Reference

Other Resources




Whitepaper on Authenticode

(download in 1995 DOC format, zipped)

Authenticode FAQ

  • <URL:>
    Is Authenticode technology really secure?
    While not guaranteeing bug-free code, Authenticode technology is designed to identify the publisher of code and to assure that software has not been tampered with before, or during the download process.

    The security methods used to support this proposal rely on tested an proven technology.  Authenticode is based upon specifications that have been used in the industry for some time, including PKCS#7 (encrypted key specification), PKCS#10 (certificate request formats), X.509 (certificate specification) and SHA and MD5 hash algorithms.

Authenticode with Internet Browsing

Some ways that SUBTLE changes could be handled by a replacement:

Authenticode is recommended way to secure against viruses


Where does CryptoAPI sit (logically) - diagram(s)

Certificate-Server product

  • <URL:>
    Certificate Server leverages the reliability and scalability features of Microsoft Windows NT Server. It can be deployed on multiple servers in large organizations that need the flexibility of more than one certificate authority. Certificate Server is a multithreaded service on Windows NT and takes full advantage of Windows NT's multiprocessor capabilities. Certificate Server: * Runs as a Windows NT service and is tightly integrated with the operating system.
    • Offers high performance, multithreaded certificate processing.
    • Uses CryptoAPI 2.0, which provides the flexibility to choose the level of encryption and device (hardware device or in software).
So, from the Microsoft description, it appears that a replaced or used "_NSAKEY" can even compromise hardware based security such as smart-cards, and other external devices.

Internet-Information-Server Security

  • <URL:>
    Internet Information Server was designed to provide corporate developers with a powerful platform for designing Web-based applications. In addition to the Internet Server API (ISAPI) and Active Server Pages for scripting of the Web server, IIS makes the following secure technologies available to developers:
    • Issuing digital certificates with Microsoft Certificate Server
    • CryptoAPI for cryptography
    • Using SSL certificates with Active Server Pages
    CryptoAPI provides a rich set of high-level APIs that make it< easier for the developer to sign, seal, encrypt, and decrypt data. Developers will easily be able to integrate identity and authentication into their applications, thereby securing private communications and data transfers over intranets and the Internet. Examples of certificate services are functions for generating requests to create certificates, functions for storing and retrieving certificates, and functions for parsing certificates.

3rd party "Cognos Datamerchant"

  • <URL:>
    DataMerchant uses data encryption to protect data during transfer to a consumer's computer. DataMerchant does not provide its own cryptographic security technology; rather it leverages the security of the platform. The encryption system supported for access by wholesale consumers via an ODBC-compliant application is Microsoft's CryptoAPI. For retail consumers using Web browsers, DataMerchant supports Netscape's SSL (Secure Sockets Layer).

    CryptoAPI is an operating system API from Microsoft for Windows 95 and NT. It provides data encryption. DataMerchant uses CryptoAPI to secure private communications and data transfers over intranets, extranets, and the Internet.

    The payment information and transfers of funds are protected by CryptoAPI, SSL, or the security features of the selected third-party online billing system.

3rd party "BackupNet"

3rd party "E-Lock ATS"

  • <URL:>
    Support for Microsoft CryptoAPI allows the e-Lock ATS 2.1 to< share keys with any other applications that use CryptoAPI. It also allows the e-Lock ATS 2.1 access to the growing number of Cryptographic Service Providers (CSP) that are available for CryptoAPI.

3rd party "VALTECH"

SETI reported to rely on CryptoAPI

Mailing list archives

RSA/Microsoft joint press release (1996)

  • <URL:>
    The agreement between Microsoft and RSA builds on the companies' existing Internet security relationship. Microsoft currently ships RSA encryption technology as the packaged cryptographic engine for its CryptoAPI, which provides the foundation for the other components of the Microsoft Internet Security Framework. Microsoft's CryptoAPI 1.0, the foundation for the Microsoft Internet Security Framework, provides extensible, exportable, system-level access to common cryptographic functions such as encryption, hashing and digital signatures. Now available in the Windows NT operating system version 4.0 and shipped as part of Microsoft Internet Explorer 3.0, CryptoAPI is currently scheduled to be delivered to OEMs as part of the Windows 95 OEM Service Release in the third quarter of 1996. ...

Analysis and comparsion with NSA guidlines [Next]

Copyright 1999 Dr. Raj Mehta. All rights reserved.