1996-01-21 - Re: Hack Lotus?

Header Data

From: daw@quito.CS.Berkeley.EDU (David A Wagner)
To: cypherpunks@toad.com
Message Hash: 611d9ecae70b4405ebe9f803538691c6b1cc3bea2567a2d0288cbe33b26fa8af
Message ID: <199601212142.QAA06506@bb.hks.net>
Reply To: N/A
UTC Datetime: 1996-01-21 21:45:22 UTC
Raw Date: Sun, 21 Jan 96 13:45:22 PST

Raw message

From: daw@quito.CS.Berkeley.EDU (David A Wagner)
Date: Sun, 21 Jan 96 13:45:22 PST
To: cypherpunks@toad.com
Subject: Re: Hack Lotus?
Message-ID: <199601212142.QAA06506@bb.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <9601200326.AA09366@toad.com>, Peter Trei <trei@process.com> wrote:
> > > If they're nasty, they'll check on the receiving side as well, to
> > > ensure that the LEAF and/or the espionage-enabling key have not been
> > > patched in the sending 'International' version.
> > 
> > Nearly impossible. Why? Because they can only include the public key,
> > and not the private key, of the GAK authority in the code. You can
> > encrypt the three bytes of key, but it is very hard for a receiver
> > other than the govvies to read them. There is no shared secret
> > information or private information available, ergo, they can't check
> > their LEAF equivalent.
> 
> Think it through. 
   [suggesting that Alice encrypts 24 bits of key under NSA's public key,
    Bob repeats calculation and checks that the two LEAFS are the same]
> Thus, you can prevent a non-complying copy  of Lotus from talking to 
> a complying copy of Lotus, which is one of the goals of the GAKers.

No, you're wrong, the process you've described does not work.

Note that RSA normally is used as probabilistic encryption: encrypt the
same plaintext twice, and you'll likely get two different ciphertexts.
Thus, if RSA is used in the normal probabilistic way, the receiver can't
tell whether the sender was compliant.

Now you might suggest that the sender should not include probabilistic
padding, and use RSA deterministically, so that (somehow) the receiver
can check whether those 24 bits are correct.  That again won't work,
since a third-party eavesdropper will be able to do a 2^24 brute force
calculation to recover those 24 bits.

There are complicated ways to prevent a non-compliant copy of Lotus from
inter-operating with a compliant copy (as others on cypherpunks have kindly
pointed out), but they are complicated, and would require a re-design of
Lotus Notes' encryption module.  Since the export version is interoperable
with the non-export version, this would seem to require too much foresight
and work to be very likely.

In any event, I've heard that the export version of Lotus Notes 4 always
sends a LEAF, but the receiver never checks it.  So I think a simple binary
patch to change the NSA's public key should work.

P.S.  So does anyone know how large the NSA's public LEAF key is?
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMQKzSyoZzwIn1bdtAQF/zAGAxODShPqrBQLsWzRVAkW7+jbVJidQIF5q
1Jyisn2EedTQoBLHnZD7ojnmws807XZK
=bRAO
-----END PGP SIGNATURE-----





Thread