[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack Lotus?



-----BEGIN PGP SIGNED MESSAGE-----

In article <[email protected]>,
Alan Olsen <[email protected]> wrote:
> I am certain that comparisons between the export and non-export (with
> softice and other debugger-type software) will show some interesting things.

Hack Lotus?  Please do.

I would love to see the internals of how Lotus Notes does the escrow.
Every conceivable way I can see to do it seems very vulnerable to attack.

If the receiving Lotus Notes program doesn't check whether the high 24
bits have been escrowed correctly in the LEEF-like field, then a simple
hack to the sending Lotus Notes program to not send the LEEF field
should give foreigners true 64 bit encryption.

[LEEF = Law-enforcement / Espionage Exploitation Field = the RSA-encrypted
high 24 bits of the key]

If the receiving Lotus Notes program does verify that the high 24 bits
are escrowed correctly, then anyone can verify that, so in 2^24 trials,
I can recover the high 24 bits, and with 2^40 more trials, I can recover
the high 40 bits.  Therefore 2^40 + 2^24 trials should suffice to hack
Lotus if this is how it works.

Or maybe it works in some other crazy manner.

Waiting to hear the technical details of how it works,
- -- Dave Wagner
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMP751yoZzwIn1bdtAQGvzgF/RPhioKYfwXcqHoDCwyyVHZFgyR26KQCz
swwAnSDPydO5jKFjFNK5XaM9XRh2Vi3a
=HLSf
-----END PGP SIGNATURE-----