At 09:21 AM 4/12/96 -0700, Jerry Whiting wrote:

When Ray Ozzie announced the work reduction sellout at the RSA conference, both he and Ms Denning (whom I spoke with about it later) mentioned that there was something else in Lotus Notes 4 besides the 40+24 bit compromise.

My thought is that the NSA gave them something else in exchange for the mandatory escrow scheme they're all talking about publicly. Perhaps some other crypto code the NSA had lying around unused.

So looking for a common 24-bit subkey may reduce Notes' key to a 40-bit brute force exercise but the 40+24 is probably not ALL that's in Notes 4.

Definitely a deal with the Devil. Given that we're talking about IBM, not Lotus none of this surprises me given IBM's Lucifer/DES history with spook input years ago. Then again to be fair, I don't know if the 40+24 deal was cooked up before or after the IBM/Lotus merger.

What about the following idea, which I think might have been indirectly discussed a few months ago. Let's suppose "you" agreed with the NSA to limit their effort to 40 bits, and put 24 bits at the beginning of the file. The code to do this could be separated and highlighted and identified publicly, and a software patch could be engineered by somebody to NOP this stretch of code to death. The result is that those 24-bits simply don't appear; you've already gotten the export license. The NSA doesn't have any real reason to complain: _ANY_ program can be modified by suitably changing object code bit patterns. An even smaller change would be to put the number of bits to expose ("24") in a byte value ("00011000"), one that will be zeroed by a patch later on. I guess I'm not really suggesting this; I think that even appearing to come to some arrangement with the NSA is wrong. However, it would be an excellent way to give the finger to the NSA, because there is no way that they can ensure that a given program is "finagle-proof."