Crippled Notes export encryption
-----BEGIN PGP SIGNED MESSAGE----- - -- [ From: Alan Pugh * EMC.Ver #2.3 ] -- Since this is definitely on-list, and I haven't seen anything on it here yet, I'm posting the whole thing. Apologies for duplication. Date: Wednesday, 17-Jan-96 04:23 PM Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C [infoMCI FLASH] i n f o M C I F L A S H infoMCI (sm) Lotus-Security - Lotus Announces Compromise for Export of Strong Encryption By ELIZABETH WEISE AP Cyberspace Writer SAN FRANCISCO (AP) _ Lotus Development Corp. announced a compromise with the federal government Wednesday that will allow it to put better security features into the international version of its Notes program. While the arrangement assures the government it can access data under extreme circumstances, it represents an advance in the strength of security allowed in software exported from the United States. Federal law prohibits the export of certain high-level encryption programs, which are defined as a munition under a Cold War-era arms control act. Encryption programs take ordinary data and put it in secret form that cannot be accessed without the proper data ``key.'' The government's arbitrary standard for cracking encryption programs when needed is at a technical level described as ``40-bit.'' Some software programs sold in the United States, including Lotus Notes, now use stronger 64-bit encryption. Lotus has been under pressure to bring such security to Notes users overseas. Although 40-bit encryption is quite strong, highly-sophisticated attacks using several computers have been able to break it recently. ``Our customers have basically lost confidence in 40-bit cryptography,'' said Ray Ozzie, president of Iris Associates, the unit of Lotus that developed Notes. ``That left us in a bind. We are the vendor that's supposedly selling a secure system to them and they are saying it's no good,'' Ozzie told a standing room audience at the RSA Data Security conference. Changes in the general export laws seemed unlikely so Lotus negotiated an interim solution. The export version of Lotus Notes 4.0, which went on sale last week, includes 64-bit encryption but the company has given the U.S. government a special code that unlocks the final 24 bits. For companies that use the international version of Notes, it's as if Lotus put two strong locks on a door and gave a key for one to the U.S. government. Thieves have to get break through two locks, the government only one. ``This protects corporate information from malicious crackers but permits the government to retain their current access,'' Ozzie said. He acknowledged the solution was only a compromise and said Lotus wants to see better data security methods developed worldwide. However, many participants at the conference saw the move as a cosmetic answer to the tension between corporate desires for the best security and government's interest to access data when necessary. ``It's a useful stopgap measure that has no value in the long run,'' said Donn Parker, a senior security consultant with SRI International, a computer research company in Menlo Park, Calif. Simson Garfinkel, author and computer security expert, said he's not sure international buyers of Notes will like the solution. ``Foreign companies don't want the U.S. government to spy on their data any more than the U.S. government wants foreign companies to be able to spy on theirs,'' Garfinkel said. International Business Machines Corp. bought Lotus in July, citing the success of Notes, a sophisticated communications and database program. AP-DS-01-17-96 1619EST (66413) *** End of story *** - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g =6jpa -----END PGP SIGNATURE-----
Alan Pugh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
- -- [ From: Alan Pugh * EMC.Ver #2.3 ] --
Since this is definitely on-list, and I haven't seen anything on it here yet, I'm posting the whole thing. Apologies for duplication.
Date: Wednesday, 17-Jan-96 04:23 PM
Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C
[infoMCI FLASH] i n f o M C I F L A S H
infoMCI (sm) Lotus-Security - Lotus Announces Compromise for Export of Strong Encryption
By ELIZABETH WEISE AP Cyberspace Writer
SAN FRANCISCO (AP) _ Lotus Development Corp. announced a compromise with the federal government Wednesday that will allow it to put better security features into the international version of its Notes program.
While the arrangement assures the government it can access data under extreme circumstances, it represents an advance in the strength of security allowed in software exported from the United States.
Federal law prohibits the export of certain high-level encryption programs, which are defined as a munition under a Cold War-era arms control act.
Encryption programs take ordinary data and put it in secret form that cannot be accessed without the proper data ``key.'' The government's arbitrary standard for cracking encryption programs when needed is at a technical level described as ``40-bit.''
Some software programs sold in the United States, including Lotus Notes, now use stronger 64-bit encryption. Lotus has been under pressure to bring such security to Notes users overseas.
Although 40-bit encryption is quite strong, highly-sophisticated attacks using several computers have been able to break it recently.
``Our customers have basically lost confidence in 40-bit cryptography,'' said Ray Ozzie, president of Iris Associates, the unit of Lotus that developed Notes.
``That left us in a bind. We are the vendor that's supposedly selling a secure system to them and they are saying it's no good,'' Ozzie told a standing room audience at the RSA Data Security conference.
Changes in the general export laws seemed unlikely so Lotus negotiated an interim solution.
The export version of Lotus Notes 4.0, which went on sale last week, includes 64-bit encryption but the company has given the U.S. government a special code that unlocks the final 24 bits.
For companies that use the international version of Notes, it's as if Lotus put two strong locks on a door and gave a key for one to the U.S. government. Thieves have to get break through two locks, the government only one.
``This protects corporate information from malicious crackers but permits the government to retain their current access,'' Ozzie said. He acknowledged the solution was only a compromise and said Lotus wants to see better data security methods developed worldwide.
However, many participants at the conference saw the move as a cosmetic answer to the tension between corporate desires for the best security and government's interest to access data when necessary.
``It's a useful stopgap measure that has no value in the long run,'' said Donn Parker, a senior security consultant with SRI International, a computer research company in Menlo Park, Calif.
Simson Garfinkel, author and computer security expert, said he's not sure international buyers of Notes will like the solution.
``Foreign companies don't want the U.S. government to spy on their data any more than the U.S. government wants foreign companies to be able to spy on theirs,'' Garfinkel said.
International Business Machines Corp. bought Lotus in July, citing the success of Notes, a sophisticated communications and database program.
AP-DS-01-17-96 1619EST
(66413)
*** End of story ***
- --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.]
-----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service
iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g =6jpa -----END PGP SIGNATURE-----
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |Vincent S. Gunville |Robbins-Gioia |209 Madison St Email vingun@rgalex.com |Alexandria, Va 22309 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How long before someone posts a patch to break the ""feature"" that does this? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
participants (4)
-
Alan Pugh -
David Lesher -
Perry E. Metzger -
Vincent S. Gunville