"Peter Trei" writes:
I suspect that Lotus has not completely reworked it's security system for the international version, and that they are in fact doing a second public key operation on the 3 bytes of GAK'd data.
Likely.
If they're nasty, they'll check on the receiving side as well, to ensure that the LEAF and/or the espionage-enabling key have not been patched in the sending 'International' version.
Nearly impossible. Why? Because they can only include the public key, and not the private key, of the GAK authority in the code. You can encrypt the three bytes of key, but it is very hard for a receiver other than the govvies to read them. There is no shared secret information or private information available, ergo, they can't check their LEAF equivalent.
Think it through. 1 Alice generates session key K 2 encrypts with Bob's public key, producing Epb(K) 3 extracts 24 bits of K to make K' 4 encrypts with Eve's (spy) public key, producing Epe(K') 5 encrypts message under K, producing EsK(M) 6 sends EsK(M), Epb(K), Epge(K') to recipient (and possibliy Eve) 7 Bob's copy of lotus decrypts Epb(K), recovering K 8 Bob's copy of lotus repeats steps 4 & 5 above, and checks if it's version of Epe(K') matches the one sent. 9 If it does, decrypt EsK(M), and give it to Bob If it does not, send a copy to the NSA, blowing the whistle on Alice, who's running a hacked copy. Thus, you can prevent a non-complying copy of Lotus from talking to a complying copy of Lotus, which is one of the goals of the GAKers.
This is likely where the flaw in the scheme is -- it should be trivial to drop another public key in place of the government one and foil the entire thing with minimal effort. All will look normal until someone tries to use the GAK private key.
Of course, I'll point out that 64 bit RC4 keys are still not particularly heartwarming...
Granted, but we don't know if they use RC4, DES, or what.
Perry
Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei@process.com
-----BEGIN PGP SIGNED MESSAGE----- Hello "Peter Trei" <trei@process.com> and <perry@piermont.com>, cypherpunks@toad.com, trei@process.com P.T. writes:
"Peter Trei" writes: ...
If they're nasty, they'll check on the receiving side as well, to ... Nearly impossible. Why? Because they can only include the public key, ... 1 Alice generates session key K 2 encrypts with Bob's public key, producing Epb(K) 3 extracts 24 bits of K to make K' 4 encrypts with Eve's (spy) public key, producing Epe(K') ...
Eeek! that gives 2^24 possible plaintext/ciphertext pairs. Trivial to brute. 3 should be: extracts 24 bits of K and concatenates it with H(K) to make K' where H is a strong one-way hash. Hope that makes sense... Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMQDZqCxV6mvvBgf5AQFrMgP/fE6wLHoJYZP6bI5Q29nuqvJNk5pR2WW9 L5URPg2Mc2HsGtjlyZYLEEpnCUAbWWgJ0cM/vHz/1VSApCLkeekZ73IhmEngijGc HoHbl2krgVcKv3D6Rhlhoq4t5JgPbhU3hVpb2MiozxFmOBkZgzUYFC82Sk2leE5O /P8lgTahzNE= =mgkS -----END PGP SIGNATURE-----
"Peter Trei" writes:
Think it through. [...] 8 Bob's copy of lotus repeats steps 4 & 5 above, and checks if it's version of Epe(K') matches the one sent.
Hmm, it could, but it isn't going to be trivial unless the thing is running straight RSA without a random pad. If it isn't randomly padding, then it possible to make a table of the 2^24 possible encryptions and break traffic without knowing the RSA key the government uses. It would require about 16GB of storage, granted, but that isn't exactly impossible in todays world -- that only costs about $4000. It would also require a lot of CPU, but not an impossible amount and the investment would be one time. Given such a table properly indexed, you could crack any passing key just by indexing to find out three bytes of the 64 bit key and then go after the other 40 in fairly short order. That would make a new "Hack IBM" (Lotus is owned by them) promotion on C2 rather fun! If they are randomly padding, then they would have to send the pad along, presumably encrypted under the RC4 key or under Bob's RSA key. Someone has to deconstruct the code. At this point, we are starting to fly off into the world of speculation.
Of course, I'll point out that 64 bit RC4 keys are still not particularly heartwarming...
Granted, but we don't know if they use RC4, DES, or what.
They are RC4 if they haven't changed that part of the design. Perry
participants (3)
-
Jiri Baum -
Perry E. Metzger -
Peter Trei