Lotus Notes

[Charlie_Kaufman/Iris.IRIS at iris.com]

I've been on the road since the RSA conference where the Notes crypto hack was 
announced. Sorry to have missed the fun. To answer at least some of the 
speculation on "how does it work", attached is a "Lotus Backgrounder" document 
that was distributed at the RSA conference. Some of the speculation in this 
group has had uncanny accuracy.

I'd also like to defend the Notes R4 approach. I hate export controls more than 
most people, in part because I waste a lot of my time trying to figure out how 
best to deal with them. While I think Notes is doing the right thing given the 
current constraints, I can't help but be appalled by the current constraints.

I don't believe 40-bit crypto is a joke. Even if it costs NSA $.25 to break a 
40-bit RC4 key, and I'd speculate it costs them more than that, it means they 
can't afford to do keyword searches on every encrypted message they can afford 
to intercept (or at least they couldn't if everyone took the trouble to 
encrypt). And with a separate 40 bit key on each of your mail messages, an 
attacker may be able to break a few if he knows they are the good ones, but 
it's painful to browse. That said, I would not expect anyone to get much 
comfort from 40 bit crypto.

The Notes R4 approach gives the best of two fairly unpleasant worlds. You can 
export crypto if you either limit yourself to 40 bits (which means anyone can 
see it if they want it badly enough) or give the government the keys (through 
escrow - which means the government and anyone else who can "break" the escrow 
mechanism can see your stuff with no work at all). Notes R4 gives the 
government part of the key, so they still have some work to do and other 
attackers have a lot of work to do. This is not a good solution. It's not even 
an acceptable solution. But it is a better solution than 40 bit crypto. And 
it's enough better that I think it was worth the hassle it took to get it.

Notes R4 didn't give up anything to get this. It is expensive to have the 
technical complexity of two different interoperable versions of the product, 
and we could have said... gee, this is really good enough for everybody... why 
don't we just sell the "International Edition" everywhere? We didn't. The 
"North American Edition" (euphemistically named to reflect that it's also legal 
in Canada) still uses real strong crypto.

The only valid criticism I've heard of the approach is by making the best of a 
bad situation, we've reduced the incentive for fundamental reform. That may be 
true, but once an approach is known (and we aren't the only ones to have 
thought of it - Adi Shamir's Partial Key Escrow proposal has similar 
properties), declining to use it does not fuel the pleas for legislative 
relief. In fact, it supports the argument that people don't even implement the 
strongest crypto they are allowed... why should they be allowed more? I think 
it is incumbent on all of us to do the best we can, for the brave to break the 
law and risk going to jail, for the wimpy to squeeze every last bit out of the 
allowed options, and for everyone to mouth off in risk-free forums like this one