[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Lotus Notes RSA Implementation Question


On 10 Nov 95 11:15:42 EDT, Charlie Kaufman wrote:

>>1)  What is the key size used by the USA licensed version?
>Notes V3 (the one currently deployed) uses 512 bit RSA keys in both the USA
>and exportable versions. Notes V4 (currently in Beta) uses 512 bit RSA keys for
>encryption in the exportable version and bigger keys for signatures in all
>versions and for encryption in the USA version. I'm not sure I'm allowed to say
>what the key size will be ahead of the product shipping.

I would assume since they are using a key size >40 bit, it is used for
authentication only, not for data encrytion, that would skirt the ITAR
regs.  If fact according to the docs, there is no data encryption when
connecting to an international version server, regardless of the
client version.

I would assume that a >512 bit key in V4 would allow upwards of 1024
or better.  That should be sufficient for now.

>>2)  Considering RC4 is a proprietary scheme, have there been any
>>concerted efforts to validate it's strength or lack of?  If so, could
>>you give a pointer to any documents I could review.
>There has been considerable discussion of the security of RC4 on this list, and
>some subtle (i.e. worrisome but not disasterous) weaknesses have been
>found. Lotus Notes' use of RC4 is not subject to the weaknesses disclosed
>to date because it does not encrypt recognizable plaintext with the first few
>bytes of the RC4 stream.

My understanding was that the problems exposed with RC4 that you
mentioned, were with the particular implemenation by Netscape.  I
guess I better go back to the archive and do some reading. :-)

Thanks, for the info.

Bob Glassley

Version: 2.6.2