CDR: Re: Lions and Tigers and Backdoors, oh, my...

Declan McCullagh declan at well.com
Wed Sep 27 22:08:38 PDT 2000 

To respond to Ray's original message:

I'm also intrigued, but skeptical. Ray wrote:
> > Keywords to search by:  "Help field" (in quotes), PKI, NSA, "40 bits"
> > "Netscape" -- It's out there, mostly in smarmy self-congratulatory

I've done the searches and come up with nothing. What URL should I
be looking at?

I'm quite interested in exposing any wrongdoing here, both personally
and professionally. Check out my back articles
(http://www.wired.com/news/print/0,1294,21810,00.html) for stuff I've
written that's relevant here.

My PGP key is on the servers; Wired's phone number is in the Washington DC
phone book.

-Declan
Wired News



On Wed, Sep 27, 2000 at 09:27:07AM -0400, Trei, Peter wrote:
> Can you document this claim of the existance of 'help fields' in
> Netscape? I am (to put it mildly) astonished by this claim, and
> more than a little skeptical. I was aware of the Workfactor
> Reduction field in the export 'aka International' version of Lotus Notes
> (which this 'help field' seems identical to), but was not aware
> of it being included in any other application.
> 
> If you can document this, I'm seriously interested in following up.
> 
> Peter Trei
> Cryptoengineer
> RSA Security Inc.
> 
> ptrei at rsasecurity.com
> 
> 
> > ----------
> > From: 	Ray Dillinger[SMTP:bear at sonic.net]
> > Reply To: 	Ray Dillinger
> > Sent: 	Tuesday, September 26, 2000 8:37 PM
> > To: 	Michael Motyka
> > Cc: 	cypherpunks at cyberpass.net
> > Subject: 	Re: CDR: Re: Lions and Tigers and Backdoors, oh, my... 
> > 
> > 
> > 
> > On Tue, 26 Sep 2000, Michael Motyka wrote:
> > 
> > >
> > >>From the article...
> > >
> > > Until recently the US government strictly controlled the strength of
> > > cryptography in software exported to different countries, in order
> > > to protect the government's ability to access and monitor
> > > communications data. The regulations were relaxed after pressure
> > > from industry but Madison believes that this may have driven the
> > > NSA to find ways to carry out surveillance. "They're not going to
> > > give in over exporting strong cryptography without getting
> > > something in return," he says. 
> > >
> > >I can't believe that they would voluntarily enter a period of weakend
> > >capabilities. My guess would be that he has the event ordering wrong.
> > 
> > Nope, he's got it right.  
> > 
> > There used to be, officially, a 40-bit key length limit on exportable 
> > software.  This made american software products with any crypto capacity 
> > ridiculously weak, to the point where anyone concerned about security 
> > would not use it -- the software industry was losing to foreign 
> > competition, and the quality of the intercepts was going down because 
> > everybody was wise to it and nobody who mattered to them was using it 
> > anymore. 
> > 
> > New policy:  The BXA approves export licenses for people who put all 
> > but the last 40 bits of the key in the headers or trailers somewhere, 
> > encrypted under a key that the NSA doubtless knows.  
> > 
> > Not that this is noised about too much.  Feature AOL saying "yes, we 
> > broke the encryption in Netscape starting after version 4.07..." not 
> > bloody likely.  
> > 
> > After a little security skirmish with my (now Ex)Bank, I discovered 
> > this about Netscape and Internet Explorer; both have "help fields" 
> > in their headers that facilitate cryptanalysis of SSL connections 
> > if you have the key to the help field.  
> > 
> > As far as I know, the same is true of all software that has BXA approval 
> > for downloadable status.  At least (name deleted -- a friend who works 
> > at netscape) confirmed that they couldn't get BXA approval for export, OR 
> > get anyone at BXA to tell them why not, except for vague wailing about 
> > "security considerations" until someone finally offered to put in a 
> > "help field".  
> > 
> > Anyway; people concerned about security from ordinary theives can now 
> > be reassured because only the US gov't gets the juicy bits, and the 
> > Uber-theives at the US gov't are reassured because they are getting 
> > the juicy bits again now that most people think US products have "strong" 
> > crypto.
> > 
> > Don't get me started on this; I get so mad I can't see straight.
> > 
> > Keywords to search by:  "Help field" (in quotes), PKI, NSA, "40 bits"
> > "Netscape" -- It's out there, mostly in smarmy self-congratulatory 
> > tones about how "We are pleased to announce that Netscape is working 
> > with us and will be in compliance with the Public-Key Infrastructure" 
> > by (Date -- I forget the date, but it coincides with the release of 
> > Netscape 4.5). 
> > 
> > 			Ray
> > 
> > 
> > 
>

More information about the cypherpunks-legacy mailing list