[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Crippled Notes export encryption



-----BEGIN PGP SIGNED MESSAGE-----

- -- [ From: Alan Pugh * EMC.Ver #2.3 ] --

Since this is definitely on-list, and I haven't seen 
anything on it here yet, I'm posting the whole thing. 
Apologies for duplication.

Date: Wednesday, 17-Jan-96 04:23 PM

Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C

[infoMCI FLASH]
                                i n f o M C I  F L A S H

infoMCI (sm)
Lotus-Security - Lotus Announces Compromise for Export of Strong
Encryption

By ELIZABETH WEISE
AP Cyberspace Writer

SAN FRANCISCO (AP) _ Lotus Development Corp. announced a
compromise with the federal government Wednesday that will allow it
to put better security features into the international version of
its Notes program.

While the arrangement assures the government it can access data
under extreme circumstances, it represents an advance in the
strength of security allowed in software exported from the United
States.

Federal law prohibits the export of certain high-level
encryption programs, which are defined as a munition under a Cold
War-era arms control act.

Encryption programs take ordinary data and put it in secret form
that cannot be accessed without the proper data ``key.'' The
government's arbitrary standard for cracking encryption programs
when needed is at a technical level described as ``40-bit.''

Some software programs sold in the United States, including
Lotus Notes, now use stronger 64-bit encryption. Lotus has been
under pressure to bring such security to Notes users overseas.

Although 40-bit encryption is quite strong, highly-sophisticated
attacks using several computers have been able to break it
recently.

``Our customers have basically lost confidence in 40-bit
cryptography,'' said Ray Ozzie, president of Iris Associates, the
unit of Lotus that developed Notes.

``That left us in a bind. We are the vendor that's supposedly
selling a secure system to them and they are saying it's no good,''
Ozzie told a standing room audience at the RSA Data Security
conference.

Changes in the general export laws seemed unlikely so Lotus
negotiated an interim solution.

The export version of Lotus Notes 4.0, which went on sale last
week, includes 64-bit encryption but the company has given the U.S.
government a special code that unlocks the final 24 bits.

For companies that use the international version of Notes, it's
as if Lotus put two strong locks on a door and gave a key for one
to the U.S. government. Thieves have to get break through two
locks, the government only one.

``This protects corporate information from malicious crackers
but permits the government to retain their current access,'' Ozzie
said. He acknowledged the solution was only a compromise and said
Lotus wants to see better data security methods developed
worldwide.

However, many participants at the conference saw the move as a
cosmetic answer to the tension between corporate desires for the
best security and government's interest to access data when
necessary.

``It's a useful stopgap measure that has no value in the long
run,'' said Donn Parker, a senior security consultant with SRI
International, a computer research company in Menlo Park, Calif.

Simson Garfinkel, author and computer security expert, said he's
not sure international buyers of Notes will like the solution.

``Foreign companies don't want the U.S. government to spy on
their data any more than the U.S. government wants foreign
companies to be able to spy on theirs,'' Garfinkel said.

International Business Machines Corp. bought Lotus in July,
citing the success of Notes, a sophisticated communications and
database program.

AP-DS-01-17-96 1619EST

  (66413)

*** End of story ***




- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD
rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g
=6jpa
-----END PGP SIGNATURE-----