1998-01-08 - Re: Silly Shrinkwrapped Encryption

Header Data

From: Bill Frantz <frantz@netcom.com>
To: “William H. Geiger III” <whgiii@invweb.net>
Message Hash: f68079f3cfe08efddc709a3d1cc3172a9223082257518546df0221febc108ad7
Message ID: <v03110710b0d9f850d94d@[207.94.249.133]>
Reply To: <v0311070eb0d8be53e6a8@[207.94.249.133]>
UTC Datetime: 1998-01-08 06:03:03 UTC
Raw Date: Thu, 8 Jan 1998 14:03:03 +0800

Raw message

From: Bill Frantz <frantz@netcom.com>
Date: Thu, 8 Jan 1998 14:03:03 +0800
To: "William H. Geiger III" <whgiii@invweb.net>
Subject: Re: Silly Shrinkwrapped Encryption
In-Reply-To: <v0311070eb0d8be53e6a8@[207.94.249.133]>
Message-ID: <v03110710b0d9f850d94d@[207.94.249.133]>
MIME-Version: 1.0
Content-Type: text/plain



At 10:36 AM -0800 1/7/98, William H. Geiger III wrote:
>   at 12:10 AM, Bill Frantz <frantz@netcom.com> said:
>
>>At 11:49 AM -0800 1/6/98, Eric Cordian wrote:
>>>I managed to find a document entitled "Security in Lotus Notes and the
>>>Internet" on the Web.
>>>
>>>It describes the weakening procedure as follows.
>>>
>>>  "No matter which version of Notes you are using, encryption uses the
>>>   full 64-bit key size. However, the International edition takes 24 bits
>>>   of the key and encrypts it using an RSA public key for which the US
>>>   National Security Agency holds the matching private key. This
>>>   encrypted portion of the key is then sent with each message as an
>>>   additional field, the workfactor reduction field. The net result of
>>>   this is that an illegitimate hacker has to tackle 64-bit encryption,
>>>   which is at or beyond the practical limit for current decryption
>>>   technology and hardware. The US government, on the other hand, only
>>>   has to break a 40-bit key space, which is much easier (2 to the power
>>>   of 24 times easier, to be precise)."
>
>>It seems to me that if you step on the correct part of the message, you
>>zap the encrypted 24 bits, and cut NSA out of the loop.  Of course the
>>receiver could notice and refuse to decrypt, which would require some
>>software hacking to defeat, but that is certainly doable.
>
>Wouldn't it be much better just to not use the crap?!?
>
>Why should we give our money to a company that has shown that they will
>sell us out at the first chance of making a buck doing so??

I don't plan on using it, but the Swedes have a bit of an installed base
problem.


-------------------------------------------------------------------------
Bill Frantz       | One party wants to control | Periwinkle -- Consulting
(408)356-8506     | what you do in the bedroom,| 16345 Englewood Ave.
frantz@netcom.com | the other in the boardroom.| Los Gatos, CA 95032, USA







Thread