(From the SpyKing Security Mailing list) 2)From: Mike G <mgevaert@bfree.on.ca> Subject: Lotus Privacy Problems This was taken from the Computer Privacy Digest 1/4/98 V12#00 Very interesting. The Swedes discover Lotus Notes has key escrow! (Win Treese) The article describes the reaction when various people in the Swedish government learned that the Lotus Notes system they were using includes key escrow. They were apparently unaware of this until Notes was in use by thousands of people in government and industry. Besides being an interesting reaction to key escrow systems, this incident reminds us that one should understand the real security of a system.... Secret Swedish E-Mail Can Be Read by the U.S.A. Fredrik Laurin, Calle Froste, *Svenska Dagbladet*, 18 Nov 1997 One of the world's most widely used e-mail programs, the American Lotus Notes, is not so secure as most of its 400,000 to 500,000 Swedish users believe. To be sure, it includes advanced cryptography in its e-mail function, but the codes that protect the encryption have been surrendered to American authorities. With them, the U.S. government can decode encrypted information. Among Swedish users are 349 parliament members, 15,000 tax agency employees, as well as employees in large businesses and the defense department. ``I didn't know that our Notes keys were deposited (with the U.S.). It was interesting to learn this,'' says Data Security Chief Jan Karlsson at the [Swedish] our Notes keys were deposited (with the U.S.). It was interesting to learn this,'' says Data Security Chief Jan Karlsson at the [Swedish] defense department. Gunnar Grenfors, Parliament director and daily e-mail user, says, ``I didn't know about this--here we handle sensitive information concerning Sweden's interests, and we should not leave the keys to this information to the U.S. government or anyone else. This must be a basic requirement.'' Sending information over the Internet is like sending a postcard--it's that simple to read these communications. When e-mail is encrypted, it becomes unintelligible for anyone who captures it during transport. Only those who have the right codes or raw computer power to break the encryption can read it. For crime prevention and national security reasons, the United States has tough regulations concerning the level of crytography that may be exported. Both large companies and intelligence agencies can already--in a fractions of a second--break the simpler cryptographic protections. For the world-leading American computer industry, cryptographic export controls are therefore an ever greater obstacle. This slows down utilization of the Internet by businesses because companies outside the U.S.A. do not dare to send important information over the Internet. On the other hand, the encryption that may be used freely within the U.S.A. is substantially more secure. Lotus, a subsidiary of the American computer giant IBM, has negotiated a special solution to the problem. Lotus gets to export strong cryptography with the requirement that vital parts of the secret keys are deposited with the U.S. government. ``The difference between the American Notes version and the export version lies in degrees of encryption. We deliver 64 bit keys to all customers, but 24 bits of those in the version that we deliver outside of the United States are deposited with the American government. That's how it works today,'' says Eileen Rudden, vice president at Lotus. Those 24 bits are critical for security in the system. 40-bit encryption is broken by a fast computer in several seconds, while 64 bits is much more time-consuming to break if one does not have the 24 bits [table omitted]. Lotus cannot answer as to which authorities have received the keys and what rules apply for giving them out. The company has confidence that the American authorities responsible for this have full control over the keys and can ensure that they will not be misused. On the other hand, this (assurance) does not matter to Swedish companies. On the contrary, there is a growing understanding that it would be an unacceptable security risk to place the corporation's own ``master key'' in the hands of foreign authorities. Secret information can leak or be spread through, for example, court decisions in other countries. These concerns are demonstrated clearly in a survey by the SAF Trade and Industry security delegation. Some 60 companies answered the survey. They absolutely do not want keys deposited in the U.S.A. It is business secrets they are protecting. These corporations fear that anyone can get a hold of this information, states Claes Blomqvist at SAF. Swedish businesses are also afraid of leaks within the American authorities. The security chief at SKF, Lars Lungren, states: ``If one has a lawful purpose for having control over encryption, it isn't a problem. But the precept is flawed: They ought to monitor (internally), but the Americans now act as if there are no crooks working within their authorities.'' In some countries, intelligence agencies clearly have taken a position on their country's trade and industry. Such is the case in France. One example, which French authorities chose to publicize, was in 1995 when five CIA agents were deported after having spied on a French telecommunications company. Win Treese <treese@openmarket.com> [The Lotus Notes crypto scheme is one that I have familiarly been calling ``64 40 or fight!'' (in a reference to a slogan for an early U.S. election campaign border-dispute issue many years ago. PGN]