CDR: Re: Lions and Tigers and Backdoors, oh, my...

Trei, Peter ptrei at rsasecurity.com
Wed Sep 27 06:27:07 PDT 2000 

Can you document this claim of the existance of 'help fields' in
Netscape? I am (to put it mildly) astonished by this claim, and
more than a little skeptical. I was aware of the Workfactor
Reduction field in the export 'aka International' version of Lotus Notes
(which this 'help field' seems identical to), but was not aware
of it being included in any other application.

If you can document this, I'm seriously interested in following up.

Peter Trei
Cryptoengineer
RSA Security Inc.

ptrei at rsasecurity.com


> ----------
> From: 	Ray Dillinger[SMTP:bear at sonic.net]
> Reply To: 	Ray Dillinger
> Sent: 	Tuesday, September 26, 2000 8:37 PM
> To: 	Michael Motyka
> Cc: 	cypherpunks at cyberpass.net
> Subject: 	Re: CDR: Re: Lions and Tigers and Backdoors, oh, my... 
> 
> 
> 
> On Tue, 26 Sep 2000, Michael Motyka wrote:
> 
> >
> >>From the article...
> >
> > Until recently the US government strictly controlled the strength of
> > cryptography in software exported to different countries, in order
> > to protect the government's ability to access and monitor
> > communications data. The regulations were relaxed after pressure
> > from industry but Madison believes that this may have driven the
> > NSA to find ways to carry out surveillance. "They're not going to
> > give in over exporting strong cryptography without getting
> > something in return," he says. 
> >
> >I can't believe that they would voluntarily enter a period of weakend
> >capabilities. My guess would be that he has the event ordering wrong.
> 
> Nope, he's got it right.  
> 
> There used to be, officially, a 40-bit key length limit on exportable 
> software.  This made american software products with any crypto capacity 
> ridiculously weak, to the point where anyone concerned about security 
> would not use it -- the software industry was losing to foreign 
> competition, and the quality of the intercepts was going down because 
> everybody was wise to it and nobody who mattered to them was using it 
> anymore. 
> 
> New policy:  The BXA approves export licenses for people who put all 
> but the last 40 bits of the key in the headers or trailers somewhere, 
> encrypted under a key that the NSA doubtless knows.  
> 
> Not that this is noised about too much.  Feature AOL saying "yes, we 
> broke the encryption in Netscape starting after version 4.07..." not 
> bloody likely.  
> 
> After a little security skirmish with my (now Ex)Bank, I discovered 
> this about Netscape and Internet Explorer; both have "help fields" 
> in their headers that facilitate cryptanalysis of SSL connections 
> if you have the key to the help field.  
> 
> As far as I know, the same is true of all software that has BXA approval 
> for downloadable status.  At least (name deleted -- a friend who works 
> at netscape) confirmed that they couldn't get BXA approval for export, OR 
> get anyone at BXA to tell them why not, except for vague wailing about 
> "security considerations" until someone finally offered to put in a 
> "help field".  
> 
> Anyway; people concerned about security from ordinary theives can now 
> be reassured because only the US gov't gets the juicy bits, and the 
> Uber-theives at the US gov't are reassured because they are getting 
> the juicy bits again now that most people think US products have "strong" 
> crypto.
> 
> Don't get me started on this; I get so mad I can't see straight.
> 
> Keywords to search by:  "Help field" (in quotes), PKI, NSA, "40 bits"
> "Netscape" -- It's out there, mostly in smarmy self-congratulatory 
> tones about how "We are pleased to announce that Netscape is working 
> with us and will be in compliance with the Public-Key Infrastructure" 
> by (Date -- I forget the date, but it coincides with the release of 
> Netscape 4.5). 
> 
> 			Ray
> 
> 
>

More information about the cypherpunks-legacy mailing list