Can you document this claim of the existance of 'help fields' in Netscape? I am (to put it mildly) astonished by this claim, and more than a little skeptical. I was aware of the Workfactor Reduction field in the export 'aka International' version of Lotus Notes (which this 'help field' seems identical to), but was not aware of it being included in any other application. If you can document this, I'm seriously interested in following up. Peter Trei Cryptoengineer RSA Security Inc. ptrei@rsasecurity.com
---------- From: Ray Dillinger[SMTP:bear@sonic.net] Reply To: Ray Dillinger Sent: Tuesday, September 26, 2000 8:37 PM To: Michael Motyka Cc: cypherpunks@cyberpass.net Subject: Re: CDR: Re: Lions and Tigers and Backdoors, oh, my...
On Tue, 26 Sep 2000, Michael Motyka wrote:
From the article...
Until recently the US government strictly controlled the strength of cryptography in software exported to different countries, in order to protect the government's ability to access and monitor communications data. The regulations were relaxed after pressure from industry but Madison believes that this may have driven the NSA to find ways to carry out surveillance. "They're not going to give in over exporting strong cryptography without getting something in return," he says.
I can't believe that they would voluntarily enter a period of weakend capabilities. My guess would be that he has the event ordering wrong.
Nope, he's got it right.
There used to be, officially, a 40-bit key length limit on exportable software. This made american software products with any crypto capacity ridiculously weak, to the point where anyone concerned about security would not use it -- the software industry was losing to foreign competition, and the quality of the intercepts was going down because everybody was wise to it and nobody who mattered to them was using it anymore.
New policy: The BXA approves export licenses for people who put all but the last 40 bits of the key in the headers or trailers somewhere, encrypted under a key that the NSA doubtless knows.
Not that this is noised about too much. Feature AOL saying "yes, we broke the encryption in Netscape starting after version 4.07..." not bloody likely.
After a little security skirmish with my (now Ex)Bank, I discovered this about Netscape and Internet Explorer; both have "help fields" in their headers that facilitate cryptanalysis of SSL connections if you have the key to the help field.
As far as I know, the same is true of all software that has BXA approval for downloadable status. At least (name deleted -- a friend who works at netscape) confirmed that they couldn't get BXA approval for export, OR get anyone at BXA to tell them why not, except for vague wailing about "security considerations" until someone finally offered to put in a "help field".
Anyway; people concerned about security from ordinary theives can now be reassured because only the US gov't gets the juicy bits, and the Uber-theives at the US gov't are reassured because they are getting the juicy bits again now that most people think US products have "strong" crypto.
Don't get me started on this; I get so mad I can't see straight.
Keywords to search by: "Help field" (in quotes), PKI, NSA, "40 bits" "Netscape" -- It's out there, mostly in smarmy self-congratulatory tones about how "We are pleased to announce that Netscape is working with us and will be in compliance with the Public-Key Infrastructure" by (Date -- I forget the date, but it coincides with the release of Netscape 4.5).
Ray