1998-07-08 - Re: Lotus Notes signature / encryption

Header Data

From: Charlie_Kaufman@iris.com
To: cypherpunks@toad.com
Message Hash: 0bd1879a85bba3524d488ac76a41590b62e15910af980e04cbd4a7e52d3d88ae
Message ID: <8525663B.005553FE.00@arista.iris.com>
Reply To: N/A
UTC Datetime: 1998-07-08 15:26:32 UTC
Raw Date: Wed, 8 Jul 1998 08:26:32 -0700 (PDT)

Raw message

From: Charlie_Kaufman@iris.com
Date: Wed, 8 Jul 1998 08:26:32 -0700 (PDT)
To: cypherpunks@toad.com
Subject: Re: Lotus Notes signature / encryption
Message-ID: <8525663B.005553FE.00@arista.iris.com>
MIME-Version: 1.0
Content-Type: text/plain


>Could someone kindly tell me about the drawbacks of the Lotus Notes
>signature / encryption system (export version)?

I guess my first question would be "compared to what?".

Compared to the Lotus Notes domestic version, the crypto is weaker
in two ways. First, there is a backdoor by which all but 40 bits of
each symmetric key is encrypted under a public key whose private half
is known to the U.S. government. This encrypted value is included in
all messages where the key is passed aroung. Depending on how you feel
about breaking 40 bit keys, this means it is somewhere between easy and
trivial for the U.S. government to eavesdrop on your communications
It also uses 512 bit RSA keys for distribution of encryption keys,
which makes it attackable by attackers other than the U.S. government.
While no one has ever publicly demonstrated breaking a 512 bit RSA key
(last I heard), the workfactor is well understood and it's clearly
feasible (and in fact overdue).

Compared to exportable versions of S/MIME or SSL, the crypto is
considerably stronger. Against attackers other than the U.S. government
(and even a paranoid would admit there are other attackers to be
concerned about (e.g. the French government)), the workfactor to
attack the symmetric keys is 64 bits - a little shakey but not the
weakest link in most systems. Further, RSA signature keys are 630 bits,
which is better than most exportable systems.

Compared to non-exportable (but internationally available) systems, like
PGP and strong S/MIME and SSL, the crypto is substantially weaker.

Another aspect to consider is the strength of the PKI. Lotus Notes uses
an organizationally based PKI, meaning that to a large degree your
security depends on the trustworthiness and competence of your system
administrator. With PGP, your security is under your own control to a
much larger degree. For people who are more security aware than their
administrators (as most PGP users are), the PGP PKI offers better security.
For people who are less security aware than their administrators (as
most Lotus Notes users are), the Lotus Notes PKI offers better security.

Finally, a "drawback" that might be relevant to this group is the fact
that because the Lotus Notes export version has a key-escrow-like
backdoor, using it offers tacit political endorsement for the
U.S. government's contention that key escrow is a technically practical
compromise between the needs of users for privacy and the "needs" of
government to know all the secrets of everyone on the planet. In my
mind, this argues strongly in favor of using real strong crypto if
that is an option, but using weak crypto as an alternative is offering
tacit political endorsement for the even more dangerous contention that
weak crypto is good enough. Your mileage may vary.

     --Charlie Kaufman
     (charlie_kaufman@iris.com)







Thread