fwd: The Swedes discover Lotus Notes has key escrow! (Win Treese)

[Ray Arachelian <sunder@brainlink.com>]

(From the SpyKing Security Mailing list)

2)From: Mike G <mgevaert@bfree.on.ca>
Subject: Lotus Privacy Problems

This was taken from the Computer Privacy Digest 1/4/98 V12#00

Very interesting.

The Swedes discover Lotus Notes has key escrow! (Win Treese)

The article describes the reaction when various people in the Swedish
government learned that the Lotus Notes system they were using includes
key escrow.   They were apparently unaware of this until Notes was in
use by thousands of people in government and industry.

Besides being an interesting reaction to key escrow systems, this
incident reminds us that one should understand the real security of a
system....

  Secret Swedish E-Mail Can Be Read by the U.S.A.  
  Fredrik Laurin, Calle Froste, *Svenska Dagbladet*, 18 Nov 1997

One of the world's most widely used e-mail programs, the American Lotus
Notes, is not so secure as most of its 400,000 to 500,000 Swedish users
believe.  To be sure, it includes advanced cryptography in its e-mail
function, but the codes that protect the encryption have been
surrendered to American authorities.  With them, the U.S. government
can decode encrypted information.  Among Swedish users are 349
parliament members, 15,000 tax agency employees, as well as employees
in large businesses and the defense department.  ``I didn't know that
our Notes keys were deposited (with the U.S.).  It was interesting to
learn this,'' says Data Security Chief Jan Karlsson at the [Swedish]
our Notes keys were deposited (with the U.S.).  It was interesting to
learn this,'' says Data Security Chief Jan Karlsson at the [Swedish]
defense department.  Gunnar Grenfors, Parliament director and daily
e-mail user, says, ``I didn't know about this--here we handle sensitive
information concerning Sweden's interests, and we should not leave the
keys to this information to the U.S. government or anyone else.  This
must be a basic requirement.''

Sending information over the Internet is like sending a postcard--it's
that simple to read these communications.  When e-mail is encrypted, it
becomes unintelligible for anyone who captures it during transport.
Only those who have the right codes or raw computer power to break the
encryption can read it.  For crime prevention and national security
reasons, the United States has tough regulations concerning the level
of crytography that may be exported.  Both large companies and
intelligence agencies can already--in a fractions of a second--break
the simpler cryptographic protections.  For the world-leading American
computer industry, cryptographic export controls are therefore an ever
greater obstacle.  This slows down utilization of the Internet by
businesses because companies outside the U.S.A. do not dare to send
important information over the Internet.  On the other hand, the
encryption that may be used freely within the U.S.A. is substantially
more secure.

Lotus, a subsidiary of the American computer giant IBM, has negotiated
a special solution to the problem.  Lotus gets to export strong
cryptography with the requirement that vital parts of the secret keys
are deposited with the U.S. government.  ``The difference between the
American Notes version and the export version lies in degrees of
encryption.  We deliver 64 bit keys to all customers, but 24 bits of
those in the version that we deliver outside of the United States are
deposited with the American government.  That's how it works today,''
says Eileen Rudden, vice president at Lotus.

Those 24 bits are critical for security in the system.  40-bit
encryption is broken by a fast computer in several seconds, while 64
bits is much more time-consuming to break if one does not have the 24
bits [table omitted].  Lotus cannot answer as to which authorities have
received the keys and what rules apply for giving them out.  The
company has confidence that the American authorities responsible for
this have full control over the keys and can ensure that they will not
be misused.

On the other hand, this (assurance) does not matter to Swedish
companies.  On the contrary, there is a growing understanding that it
would be an unacceptable security risk to place the corporation's own
``master key'' in the hands of foreign authorities.  Secret information
can leak or be spread through, for example, court decisions in other
countries.  These concerns are demonstrated clearly in a survey by the
SAF Trade and Industry security delegation.  Some 60 companies answered
the survey.  They absolutely do not want keys deposited in the U.S.A.
It is business secrets they are protecting.  These corporations fear
that anyone can get a hold of this information, states Claes Blomqvist
at SAF.

Swedish businesses are also afraid of leaks within the American
authorities.  The security chief at SKF, Lars Lungren, states: ``If one
has a lawful purpose for having control over encryption, it isn't a
problem.  But the precept is flawed: They ought to monitor
(internally), but the Americans now act as if there are no crooks
working within their authorities.''

In some countries, intelligence agencies clearly have taken a position
on their country's trade and industry.  Such is the case in France.
One example, which French authorities chose to publicize, was in 1995
when five CIA agents were deported after having spied on a French
telecommunications company.

Win Treese <treese@openmarket.com>

  [The Lotus Notes crypto scheme is one that I have familiarly been
  calling ``64 40 or fight!'' (in a reference to a slogan for an early
  U.S. election campaign border-dispute issue many years ago.  PGN]