This is correct. Back at least in the Vista days each public release had to be passed to the NSA to validate the encryption algorithms and implementation. I’d imagine they poked around a few other parts of the OS
The NSA has a dual mandate - to improve security for the US government (and by extension, US businesses to an extent), and to peek into communications outside the US.
They have been pretty negligent about the first (or even malicious about it - e.g. the dual drbg case), letting the second take over - but officially they still have the first mandate.
In fact, DES was considerably strengthened in its day by the NSA review - at that time for reasons not understood by industry or academia. It was later discovered that the change required by the NSA made DES much more resistant to differential cryptanalysis, a technique that was (re)discovered by academic cryptographers much later.
Every “conspiracy” I’ve heard about the NSA and friends turned out to be true, most with definite proof from the Snowden releases.
> Every “conspiracy” I’ve heard about the NSA and friends turned out to be true
And therefore every next thing anyone on the Internet concocted has to be true as well?
I get what you're saying though, and I'm well aware of the dual mandate. But you haven't given me anymore reason to believe this particular one, and I find it strange because I've never heard of any company in any country having to give their software to an intelligence agency before being allowed to release only the modified version. Implanting backdoors is not unheard of, but after they had great success with the clipper chip it's usually done without the company in question knowing about it.
You say the excuse was to validate some implementation, but in that case Microsoft wouldn't need to publish any modified versions, the nsa would just point out "this contains too strong crypto, can't export this" or "you made a mistake in algo X allowing attack Y". Not "please substitute this dll with our version and better not tell your customers!".
You are reading too much into cududa’s comment and mine, quite a bit of things neither of us said.
Cududa mentioned Microsoft let the NSA review it - that it was procedure, not that it was law. Furthermore, no one claimed that NSA recommendations or replacement DLLs had to be used by law - though that makes little difference. I mentioned that this would be in line with well known history of DES development. That’s basically all we said about it.
I have no idea what you are referring to with the Clipper chip. But RSA, NIST and others were definitely aware they were peddling NSA recommendations With the dual-drbg fiasco.
