From: bglassle@kaiwan.com (Bob Glassley)
To: Charlie Kaufman/Iris <Charlie_Kaufman/Iris.IRIS@iris.com>
Message Hash: 4272e86b98f92cccd0c76b0ba6002c6e933b2c02efe00d88782fb937f5ea0559
Message ID: <199511110613.WAA18615@kaiwan.kaiwan.com>
Reply To: <9511102035.AA6927@moe.iris.com>
UTC Datetime: 1995-11-13 09:13:41 UTC
Raw Date: Mon, 13 Nov 1995 17:13:41 +0800
From: bglassle@kaiwan.com (Bob Glassley)
Date: Mon, 13 Nov 1995 17:13:41 +0800
To: Charlie Kaufman/Iris <Charlie_Kaufman/Iris.IRIS@iris.com>
Subject: Re: Lotus Notes RSA Implementation Question
In-Reply-To: <9511102035.AA6927@moe.iris.com>
Message-ID: <199511110613.WAA18615@kaiwan.kaiwan.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
On 10 Nov 95 11:15:42 EDT, Charlie Kaufman wrote:
>>1) What is the key size used by the USA licensed version?
>>
>Notes V3 (the one currently deployed) uses 512 bit RSA keys in both the USA
>and exportable versions. Notes V4 (currently in Beta) uses 512 bit RSA keys for
>encryption in the exportable version and bigger keys for signatures in all
>versions and for encryption in the USA version. I'm not sure I'm allowed to say
>what the key size will be ahead of the product shipping.
I would assume since they are using a key size >40 bit, it is used for
authentication only, not for data encrytion, that would skirt the ITAR
regs. If fact according to the docs, there is no data encryption when
connecting to an international version server, regardless of the
client version.
I would assume that a >512 bit key in V4 would allow upwards of 1024
or better. That should be sufficient for now.
>>2) Considering RC4 is a proprietary scheme, have there been any
>>concerted efforts to validate it's strength or lack of? If so, could
>>you give a pointer to any documents I could review.
>>
>There has been considerable discussion of the security of RC4 on this list, and
>some subtle (i.e. worrisome but not disasterous) weaknesses have been
>found. Lotus Notes' use of RC4 is not subject to the weaknesses disclosed
>to date because it does not encrypt recognizable plaintext with the first few
>bytes of the RC4 stream.
My understanding was that the problems exposed with RC4 that you
mentioned, were with the particular implemenation by Netscape. I
guess I better go back to the archive and do some reading. :-)
Thanks, for the info.
Bob Glassley
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMKQ+hW7xvKhVs/sNAQFgfgP+Jekr28ZImaynnvuEpbZu5imS0Jm8bPwQ
iDw0ZIcF23ngSjb1Z4srt9cSJmL1zV2dEFyxSlXs7CWzBmlw8dSCvz6ArftetRYY
aYe1qwt+bXpGMWplQKUOG/dNk/n52sn1mHNPEJoj/V4G4iAXfDoOokL+zdSJ1Cbk
LuFl+F1M/Zc=
=FHxS
-----END PGP SIGNATURE-----
Return to November 1995
Return to “Jeff Weinstein <jsw@netscape.com>”