Cryptographers are sounding the alarm on a major security issue involving Microsoft Windows that could eclipse its Hotmail public relations disaster.

The BBC's Kathy Riddell: "This has set alarms bells ringing"

The findings of a computer security expert that America's National Security Agency (NSA) may have been given a back door into every copy of Windows 95, 98, NT4 and 2000 worldwide are being debated across the Internet.

Microsoft has issued a strong denial of allegations of misuse of a second encryption "key" in Windows.

"These are just used to ensure that we're compliant with US export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software.

"We have not shared the private keys. We do not share our keys."

But cryptographers in the UK described the implications of the findings as "immense". Windows is installed on more than 90% of the world's computers.

Second key for Windows

Andrew Fernandes, Chief Scientist at the Ontario-based Cryptonym Corporation, is credited with discovering the identity of a second key used by Windows for encryption purposes.

The BBC's Chris Nuttall: "Windows is used on 90% of the world's computers"

Caspar Bowden, director of London-based Internet think-tank FIPR, said: "The allegation is that every copy of Windows contains an extra 'magic number' which would permit it to work with encryption modules designed by the US National Security Agency, as well as those approved by Microsoft."

The approval mechanism was introduced to ensure that the weak encryption in non-US versions of Windows could not be replaced with stronger software without it being checked against a "key" embedded in Windows, proving that it had been digitally signed off by Microsoft.

Two years ago, cryptographers found an alternative, and apparently superfluous, second embedded key. The new details came to light through debugging information erroneously left in the latest service pack for Windows NT.

Significantly, the key has the data tag "_NSAKEY" giving rise to speculation that the NSA persuaded Microsoft to give it special access to Windows in a secret deal.

Microsoft says it called its function an "NSA key" because the body reviews technical details for the export of data-scrambling software.

MS talked with NSA

It is known that Microsoft negotiated with the NSA on including encryption in its product. The export of strong encryption is banned by the Clinton administration, which fears terrorists and other criminals could turn it against the US.

There are two theories on why this unnecessary second key is included in Windows:

• Conspiracy theorists say the key can be used to infiltrate targeted computers. It gives the NSA a direct way of doing this without having to use Microsoft's own key.

• A more charitable theory is that Microsoft allowed the NSA a special key to secure the thousands of government computers running Windows.

"The innocent explanation is that the US wished to create bespoke encryption modules for official use on government systems without reference to Microsoft," said Mr Bowden.

"Ironically, introducing the second key has created a major security loophole in a mechanism which was designed to enforce US export controls on strong cryptography."