[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Lotus Notes
I've been on the road since the RSA conference where the Notes crypto hack was
announced. Sorry to have missed the fun. To answer at least some of the
speculation on "how does it work", attached is a "Lotus Backgrounder" document
that was distributed at the RSA conference. Some of the speculation in this
group has had uncanny accuracy.
I'd also like to defend the Notes R4 approach. I hate export controls more than
most people, in part because I waste a lot of my time trying to figure out how
best to deal with them. While I think Notes is doing the right thing given the
current constraints, I can't help but be appalled by the current constraints.
I don't believe 40-bit crypto is a joke. Even if it costs NSA $.25 to break a
40-bit RC4 key, and I'd speculate it costs them more than that, it means they
can't afford to do keyword searches on every encrypted message they can afford
to intercept (or at least they couldn't if everyone took the trouble to
encrypt). And with a separate 40 bit key on each of your mail messages, an
attacker may be able to break a few if he knows they are the good ones, but
it's painful to browse. That said, I would not expect anyone to get much
comfort from 40 bit crypto.
The Notes R4 approach gives the best of two fairly unpleasant worlds. You can
export crypto if you either limit yourself to 40 bits (which means anyone can
see it if they want it badly enough) or give the government the keys (through
escrow - which means the government and anyone else who can "break" the escrow
mechanism can see your stuff with no work at all). Notes R4 gives the
government part of the key, so they still have some work to do and other
attackers have a lot of work to do. This is not a good solution. It's not even
an acceptable solution. But it is a better solution than 40 bit crypto. And
it's enough better that I think it was worth the hassle it took to get it.
Notes R4 didn't give up anything to get this. It is expensive to have the
technical complexity of two different interoperable versions of the product,
and we could have said... gee, this is really good enough for everybody... why
don't we just sell the "International Edition" everywhere? We didn't. The
"North American Edition" (euphemistically named to reflect that it's also legal
in Canada) still uses real strong crypto.
The only valid criticism I've heard of the approach is by making the best of a
bad situation, we've reduced the incentive for fundamental reform. That may be
true, but once an approach is known (and we aren't the only ones to have
thought of it - Adi Shamir's Partial Key Escrow proposal has similar
properties), declining to use it does not fuel the pleas for legislative
relief. In fact, it supports the argument that people don't even implement the
strongest crypto they are allowed... why should they be allowed more? I think
it is incumbent on all of us to do the best we can, for the brave to break the
law and risk going to jail, for the wimpy to squeeze every last bit out of the
allowed options, and for everyone to mouth off in risk-free forums like this one