Silly Shrinkwrapped Encryption
Could someone poke through Lotus Notes with a debugger and see exactly how this "giving 24 bits to the government" is implemented? Most commercial software simply introduces redundancy in order to limit the keyspace to 40 bits, regardless of the advertised length of the key. This claim that they deliver 64 bits of key to the customer seems a bit bogus. Of course, they could have done something clever, like generating a completely random 64 bit key, and then encrypting 24 bits of it with a giant government-owned RSA public key, and including this additional information with each message. However, it seems unlikely that they would employ such strong encryption for message recovery, while offering only 64 bits for message encryption. Is Lotus Notes encryption documented anywhere? Are the differences between the export and domestic versions disclosed to overseas customers? -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
To follow up my prior message... I managed to find a document entitled "Security in Lotus Notes and the Internet" on the Web. It describes the weakening procedure as follows. "No matter which version of Notes you are using, encryption uses the full 64-bit key size. However, the International edition takes 24 bits of the key and encrypts it using an RSA public key for which the US National Security Agency holds the matching private key. This encrypted portion of the key is then sent with each message as an additional field, the workfactor reduction field. The net result of this is that an illegitimate hacker has to tackle 64-bit encryption, which is at or beyond the practical limit for current decryption technology and hardware. The US government, on the other hand, only has to break a 40-bit key space, which is much easier (2 to the power of 24 times easier, to be precise)." Would anyone care to extract the modulus and exponent for the NSA's Lotus Notes helper key and post it to this newsgroup? -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
At 11:30 AM -0800 1/6/98, Eric Cordian wrote:
Could someone poke through Lotus Notes with a debugger and see exactly how this "giving 24 bits to the government" is implemented?
Most commercial software simply introduces redundancy in order to limit the keyspace to 40 bits, regardless of the advertised length of the key. This claim that they deliver 64 bits of key to the customer seems a bit bogus.
Of course, they could have done something clever, like generating a completely random 64 bit key, and then encrypting 24 bits of it with a giant government-owned RSA public key, and including this additional information with each message. However, it seems unlikely that they would employ such strong encryption for message recovery, while offering only 64 bits for message encryption.
Is Lotus Notes encryption documented anywhere? Are the differences between the export and domestic versions disclosed to overseas customers?
Ray Ozzie, founder of Iris, the company which developed Notes and sold it to Lotus, discussed his "40 + 24" hack a couple of years ago. It was met with much derision in the community. (He sent me a nice letter explaining his motivations for the 40 + 24 hack, but I was of course unconvinced. BTW, my recollection was that they were trying to get the industry to adopt this as a way of satisfying _domestic_ calls for GAK, not just for export to those dumb Swedes :-}). --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 11:49 AM -0800 1/6/98, Eric Cordian wrote:
I managed to find a document entitled "Security in Lotus Notes and the Internet" on the Web.
It describes the weakening procedure as follows.
"No matter which version of Notes you are using, encryption uses the full 64-bit key size. However, the International edition takes 24 bits of the key and encrypts it using an RSA public key for which the US National Security Agency holds the matching private key. This encrypted portion of the key is then sent with each message as an additional field, the workfactor reduction field. The net result of this is that an illegitimate hacker has to tackle 64-bit encryption, which is at or beyond the practical limit for current decryption technology and hardware. The US government, on the other hand, only has to break a 40-bit key space, which is much easier (2 to the power of 24 times easier, to be precise)."
It seems to me that if you step on the correct part of the message, you zap the encrypted 24 bits, and cut NSA out of the loop. Of course the receiver could notice and refuse to decrypt, which would require some software hacking to defeat, but that is certainly doable. ------------------------------------------------------------------------- Bill Frantz | One party wants to control | Periwinkle -- Consulting (408)356-8506 | what you do in the bedroom,| 16345 Englewood Ave. frantz@netcom.com | the other in the boardroom.| Los Gatos, CA 95032, USA
Bill Frantz writes:
It seems to me that if you step on the correct part of the message, you zap the encrypted 24 bits, and cut NSA out of the loop. Of course the receiver could notice and refuse to decrypt, which would require some software hacking to defeat, but that is certainly doable.
Yes - I doubt if Lotus Notes has the ability to distinguish between messages containing ASCII for "FUD" in the workfactor reduction field and those containing 24 genuine bits of the key in question. It's probably a one-instruction patch to disable Big Brother. As I recall, the LEAF field in Clipper suffered from a similar ability to be disabled at the user's pleasure. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
-----BEGIN PGP SIGNED MESSAGE----- In <v0311070eb0d8be53e6a8@[207.94.249.133]>, on 01/07/98 at 12:10 AM, Bill Frantz <frantz@netcom.com> said:
At 11:49 AM -0800 1/6/98, Eric Cordian wrote:
I managed to find a document entitled "Security in Lotus Notes and the Internet" on the Web.
It describes the weakening procedure as follows.
"No matter which version of Notes you are using, encryption uses the full 64-bit key size. However, the International edition takes 24 bits of the key and encrypts it using an RSA public key for which the US National Security Agency holds the matching private key. This encrypted portion of the key is then sent with each message as an additional field, the workfactor reduction field. The net result of this is that an illegitimate hacker has to tackle 64-bit encryption, which is at or beyond the practical limit for current decryption technology and hardware. The US government, on the other hand, only has to break a 40-bit key space, which is much easier (2 to the power of 24 times easier, to be precise)."
It seems to me that if you step on the correct part of the message, you zap the encrypted 24 bits, and cut NSA out of the loop. Of course the receiver could notice and refuse to decrypt, which would require some software hacking to defeat, but that is certainly doable.
Wouldn't it be much better just to not use the crap?!? Why should we give our money to a company that has shown that they will sell us out at the first chance of making a buck doing so?? - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNLPLlY9Co1n+aLhhAQHt5gP+NtHd38qR7JcqpL1hCxdk4Tz1N239kIIm 7V6vmiM76oinIDXmsgJoZN9NgLdI8kd7otJt1nLOlEkbGpZ9lAn69pdeB0BzAM2Q OOXhPsy6AzB3y/wdMY2wXpgmTAIT5CpW/014NqtBLIgoL2g2pXseTe416OixxBDv m9aJKKvHgb0= =Us1n -----END PGP SIGNATURE-----
Bill Frantz <frantz@netcom.com> writes:
[lotus notes 24+40 GAK design]
It seems to me that if you step on the correct part of the message, you zap the encrypted 24 bits, and cut NSA out of the loop. Of course the receiver could notice and refuse to decrypt, which would require some software hacking to defeat, but that is certainly doable.
Well if that were all they were doing you could just fill it with random numbers, or encrypt the wrong 24 bits of random data with the NSA's public key, etc. and the receiving software couldn't tell without access to DIRNSA's private GAKking key. However, I figure that they could do this... encrypt to the recipient and include in the GAK packet the RSA padding used to encrypt the 24 bits. The recipient gets the 24 bits anyway because he can decrypt the main recipient field; with the padding he can re-create the RSA encrypted GAK packet. Not that we want to help the GAKkers or anything :-) Still as you say even that would likely be a single byte patch or whatever to skip the test. Also as William notes, don't use the crap -- it's only 64 bits anyway even for non-export version, and their reputed motives in smoothing a path to domestic GAK, and even in buying into the KRAP program might be enough to move some to boycott them even if there crypto key sizes were reasonable, which they are not. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 10:36 AM -0800 1/7/98, William H. Geiger III wrote:
at 12:10 AM, Bill Frantz <frantz@netcom.com> said:
At 11:49 AM -0800 1/6/98, Eric Cordian wrote:
I managed to find a document entitled "Security in Lotus Notes and the Internet" on the Web.
It describes the weakening procedure as follows.
"No matter which version of Notes you are using, encryption uses the full 64-bit key size. However, the International edition takes 24 bits of the key and encrypts it using an RSA public key for which the US National Security Agency holds the matching private key. This encrypted portion of the key is then sent with each message as an additional field, the workfactor reduction field. The net result of this is that an illegitimate hacker has to tackle 64-bit encryption, which is at or beyond the practical limit for current decryption technology and hardware. The US government, on the other hand, only has to break a 40-bit key space, which is much easier (2 to the power of 24 times easier, to be precise)."
It seems to me that if you step on the correct part of the message, you zap the encrypted 24 bits, and cut NSA out of the loop. Of course the receiver could notice and refuse to decrypt, which would require some software hacking to defeat, but that is certainly doable.
Wouldn't it be much better just to not use the crap?!?
Why should we give our money to a company that has shown that they will sell us out at the first chance of making a buck doing so??
I don't plan on using it, but the Swedes have a bit of an installed base problem. ------------------------------------------------------------------------- Bill Frantz | One party wants to control | Periwinkle -- Consulting (408)356-8506 | what you do in the bedroom,| 16345 Englewood Ave. frantz@netcom.com | the other in the boardroom.| Los Gatos, CA 95032, USA
On Wed, 7 Jan 1998, Bill Frantz wrote:
I don't plan on using it, but the Swedes have a bit of an installed base problem.
Lotus made not secret of their GAK implementation in Notes. If the Swedish government bought Notes anyway, they have only themselves and the incompetence of their IS people to blame. Now they have to scrap a recently fielded system. Though luck. Better solutions than Notes were out there and easily to be found by the most casual buyer. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
Lotus made not secret of their GAK implementation in Notes. If the Swedish government bought Notes anyway, they have only themselves and the incompetence of their IS people to blame.
Now they have to scrap a recently fielded system. Though luck. Better solutions than Notes were out there and easily to be found by the most casual buyer.
People buy Notes for the databases - the mail is just a freebie for most, a bit like the radio in your car. The mail's not even very good (adequate at most). Anyone know if the databases are encrypted with the same GAK scheme?
participants (7)
-
Adam Back -
Bill Frantz -
Eric Cordian -
Ian Sparkes -
Lucky Green -
Tim May -
William H. Geiger III