Hello, 1st off please don't publish my name on your site. I'm too lazy to set up another cheezy mail acct. Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from your site. I have a close friend who is a developer for Iris (the people who make Notes for lotus.) I sent him the file I downloaded and asked him what the deal was, and here's his response: Here's the necessary info to truly understand the issue here; a speech by Ray Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is that notes provides superior exportable encryption technology when compared to other US products on the market. For anyone (but the NSA) to crack our international encryption keys they must crack a 64 bit key, the same as with a US encryption key. In the international version we take 24 of the 64 bit encryption key and encrypt the 24 bits with the NSA's public key and send it, encrypted strongly, along with the encrypted message. This means the NSA can decrypt with their key and have 24 of the 64 bit key. They still have to break the remaining 40 bits. 40 bit key encryption has been the max for exportable encryption and that is what all other US exportable encryption providers allow. That limit has just been raised to 56 bits and we are incorporating that as I type. In the worst case: the NSA's private key is compromised, the 40 bit portion of the key still must be cracked. So we haven't weakened the security of international encryption, but actually made it equal to the US security (to everyone but the NSA). We are proud of this arrangement because we have found a way to make Notes as secure as the US government will allow for our international customers. If we hadn't used this technique all of the international notes encrypted data would be with only a 40 bit key. As it stands, the 64 bit key used in both US and international encryption is extremely secure. It's too bad the author of this article choose to attack Lotus Notes without considering the options the US government provides. We could  have just shipped 40 bit encryption like MS, Netscape, etc. and leave our international customers with weak encryption but we didn't. Oh well, you can't make everyone understand, this confusing and frustrating stuff. I hope this helps. - *** Prepared Remarks of Ray Ozzie, *** President of Iris Associates *** an affiliate of Lotus Development Corporation *** Delivered at opening of the RSA Data Security Conference '96 *** SAN FRANCISCO, Jan. 17, 1996 -- As we're all painfully aware, the U.S. government continues to maintain that cryptography should be classified and controlled as a munition of war -- and for good historical reason: Some of cryptography's finest hours have been during past wars. From the government's standpoint, the export controls implied by munitions classification must be working very well, since there has been no mass-deployed worldwide cryptography, most general communications is still in cleartext, and no world of unbreakable crypto has emerged. In the meantime, while we're preoccupied by protecting the flow of bits across borders, trouble is brewing. Criminals don't recognize borders but operate in one wild-and-wolley network. Crackers are able to attack targets halfway around the world with no fear of prosecution. Exceptionally smart people in Eastern Europe crack financial systems in New York. Everywhere you look, bright, clever people are breaking into communication systems, industrial control systems, transportation systems, health care systems -- anything and everything that's controlled by networked computers. And as you know, this isn't a theoretical problem, or just a problem with clever people stealing money from banks; it's a "clear and present danger" that's a direct result of our having moved into the information age without adequately securing our information and our global information systems. This is not just an issue of signals Intelligence or of Title III wiretaps or of lost software industry profits; this is a public safety issue. One of these days, someone is going to bring down an airliner somewhere in the world, or cause a train wreck, or destabilize an economy, by breaking into an information system through the worldwide net. And it may be something that we could have prevented, if we had been making more casual and widespread use of cryptography. And that's why I, and a number of you, spend so much time trying to change the system -- trying to educate, to help convince the U.S. Government to liberalize export controls, to allow our customers worldwide to have access to good security, to protect themselves against the threats present on the worldwide networks. To be sure, the customers are getting more and more astute. Due in large part to the press surrounding the cracking of a few 40-bit RC4 keys last year, our customers have lost confidence in 40-bit crypto. They told us that, if we were going to continue to market 40-bit Lotus Notes overseas, we should stop marketing it as a secure system -- that we should start to call it "data scrambling" or "data masking" instead of encryption. And so we have continued to lobby, arguing that the benefits of substantially better exportable crypto outweigh the risks. The government's response? Well, their latest proposal might -- in theory -- allow us to ship a 64-bit product overseas so long as it had third-party key escrow features built in. We talked to our customers about the administration's proposal, and the answer was very clear: our customers have said a resounding "no" to key escrow in Lotus Notes. They simply don't like the notion that they can't compute the additional risk and liability introduced by a third party holding the keys to unlock their data. Well, that left us in a bind. We need to provide better security for our international customers, but the government's proposal was clearly unacceptable to them. And because I didn't see a "silver bullet" solution -- or general export relief -- in the cards, I began looking for an interim solution that might allow us to ship a more secure product in the short term, while we continued to argue for substantial revision of national cryptography policy. And after months of negotiation, I'm here to announce that we have found a short-term workaround to the problem, which I hope you will find to be an interesting, new development in the area of cryptography as it pertains to export controls. While this is a very tough issue, and while I personally believe that a world of widespread cryptography is truly inevitable, the name of the game right now is to find a compromise solution that satisfies the stated needs of the U.S. Government, while still providing good information security. This is just such a compromise. Lotus Notes Release 4, which is now shipping, utilizes a new method of security that we're referring to as "Differential Workfactor Cryptography." It is a conceptually simple solution that addresses two problems at the same time: First, it protects sensitive corporate information from most malicious crackers far more effectively than previously exported products; second, it permits the government to retain its current level of access to encrypted information carried by U.S. products overseas. No more access, no less access. As you know, the U.S. government has defined its "maximum tolerance level" for exportable unescrowed cryptography at 40 bits. That is, because they generally permit the export of 40-bit products, the U.S. government is clearly already willing to deal with a 40-bit work factor in order to examine encrypted communications outside of this country. So, the system that we're shipping in Lotus Notes Release 4 overseas is one that presents different work factors to different parties, hence the name. Against crackers -- against the run-of-the-mill adversary trying to break a message -- the work factor is 64 bits, just like it is in the U.S. That is, in the new International Edition of Lotus Notes, bulk data keys are now 64 bits just as they are in our North American Edition that's sold in the U.S. and Canada. But when the U.S. Government needs access to a communications stream overseas encoded by the international edition of Lotus Notes, they are no worse off - and no better off - than they are today - they have to crack 40 bits. So how can this be true, when the work factor is 64 bits for non-governmental adversaries? It's pretty simple. We asked the government to generate a special RSA key pair, and to make known their RSA Public Key. We asked them to keep their private key classified, compartmentalized -- as secret as they'd keep the keys to their own military and diplomatic communication systems -- and to never disclose it to anyone. Then, we changed Notes so that whenever the product generates an encrypted 64-bit bulk data key, bound to that key is a small package -- a "workfactor reduction field" -- containing 24 bits of the bulk data key encrypted with the U.S. government's public key. So the U.S. government has exclusive access to 24 of the 64 bits. That's 64 bits against the cracker, 40 bits for the government. And, of course, this version of Notes is fully interoperable with the North American Edition of Notes, the only version that we sell in the United States. In the North American Edition, as always, keys generated for communications within the U.S. and Canada aren't subject to any kind of work factor reduction. And both the North American Edition and the International Edtion are shipping today. We are very pleased that we are now able to offer this increased level of security to our overseas customers. And I encourage you out there -- product designers and developers who are in a similar bind -- to offer stronger confidentiality features to your customers in your exported products by taking advantage of our already having negotiated export approval for this Differential Workfactor implementation. But please make no mistake about it: We fully recognize that this is a compromise solution. This is not a panacea. This is not the "silver bullet" that addresses all needs. We continue to argue vigorously that global and national economic security, domestic law enforcement related to Information security crimes, and personal privacy concerns would all be served well by the rapid and broad, worldwide proliferation of good, strong, high-grade cryptography. And we continue to push for a complete and public review of national cryptography policy. But we relish the fact that, in today's highly-charged political climate surrounding the issue of cryptography, we were able to negotiate a solution that increases information security for our worldwide customers. By throwing another potential solution into the mix -- by leading the way for others by clearing its export approval -- we hope that this stirs debate related to national cryptography policy. A debate that is both global and local in nature; a debate that, with your help, we can hopefully bring to the attention of the U.S Public. Updated: 01/17/96 01:14:15 PM *** *** White Paper by Charlie Kaufman, distributed at the RSA '96 conference *** Differential Workfactor Cryptography Charlie Kaufman Security Architect Iris Associates January 17, 1996 Abstract: This document describes the technical approach behind the exportable strong cryptography included in Lotus Notes Release 4 (International Edition). Current U.S. export regulations generally prohibit the export of cryptographic software that uses keys larger than 40 bits, but advances in processor technology make 40 bit keys breakable by exhaustive search practical for a growing collection of potential attackers. In a novel scheme we sometimes refer to as 64/40, we provide the cryptographic strength of 64 bit keys against most attackers while to comply with export regulations we make the workfactor for breaking the system equivalent to only 40 bits for the U.S. government. We do that by encrypting 24 of the 64 bits under a public RSA key provided by the U.S. government and binding the encrypted partial key to the encrypted data. Background: As we're all painfully aware, the U.S. government continues to maintain that cryptography should be classified and controlled as a munition of war. There is a long historical basis for this - some of cryptography's finest hours have been during the wars of the past. And while some would argue that export controls are a sham because many foreign governments impose no such restrictions and we participate in an international marketplace, by one very important measure export controls have been a success: no mass-deployed worldwide cryptography has emerged and most general communications is still in cleartext. But while the government has been successfully defending its ability to spy, trouble has been brewing. Criminals don't recognise borders - there's only one wild and wooly network. Crackers are able to attack targets halfway around the world with no fear of prosecution. Smart people in Eastern Europe crack financial systems in New York. Everywhere you look, bright clever people are breaking into communication systems, industrial control systems, transportation systems, health care systems, anything and everything that's controlled by networked computers. This is not a theoretical problem, or just a problem with clever people stealing money from banks; it's a clear and present danger that's a direct result of the fact that we've moved into the information age without adequately securing our global information systems. Lotus Notes has been a pioneer in providing transparent strong RSA based cryptography in its product offering. It went to great lengths to provide the strongest protection legally permissable. There is an International Edition that complies with export regulations and a domestic edition that does not (called the North American Edition because it is legally available in the U.S. and Canada). In the International Edition, users use two RSA key pairs - one used to protect data integrity and authentication and another (shorter) one to protect data confidentiality because only data confidentiality key sizes are regulated by export controls. Full interoperability between the North American and International Editions is achieved by having the two ends negotiate down to the largest key size that both ends support. This design came at no small cost, but it was the only way we could deliver the best security possible to each of our customers given the existing regulatory climate. Differential Workfactor Cryptography is another innovation in the direction of giving our customers the best security we can while continuing to oppose the regulations that make the complexity necessary. How it works: The idea behind Differential Workfactor Cryptography is simple; whenever a bulk data key is created, a 64 bit random number is chosen. If the use of that key is one involving data confidentiality and the International Edition of Notes, 24 of the bits are encrypted under a public RSA key that was provided to us by the U.S. government and the result - called a Workfactor Reduction Field - is bound into the encrypted data. There is no Workfactor Reduction Field in data used only by the domestic edition of Notes, and there is none for keys that are not used for data confidentiality (e.g. those used for authentication). If an attacker wanted to break into a Notes system based on information obtained by eavesdropping, he would have to exhaustively search a 64 bit key space. Even the U.S. government would face this workfactor because there is no Workfactor Reduction Field in keys used for authentication. An attacker who wanted to read an encrypted document that was either read from a server or eavesdropped from the wire would face a 64 bit workfactor. But if the U.S. government needed to decrypt such a document it could obtain 24 of the bits using its private key and the Workfactor Reduction Field and then exhaustively search a 40 bit key space. Tamper resistance: You might wonder what's to prevent someone from deleting the Workfactor Reduction Field from a document or the setup protocol of a network connection. This is similar to the problem faced in the Clipper design to assure that the LEAF field was not removed from a conversation. In a software only implementation, it is not possible to prevent tampering entirely. The easiest form of tampering would be to smuggle the North American Edition CD out of the U.S. or pass it to someone over the Internet. The best a software implementation can do in terms of tamper resistance is to make it impossible to remove the Workfactor Reduction Field without modifying both the source of the data and the destination.. This can be done by having the destination check for the presence of the Workfactor Reduction Field and refuse to decrypt the data if it is not there or not correct. The destination can't decrypt the Workfactor Reduction Field to check it, but knowing the bulk data key and the government public key, it can regenerate the WRF and compare the result with the supplied value. RSA has the convenient property that the same value encrypted twice produces the same result; it would be somewhat more complex (but still possible) to duplicate this functionality with other public key algorithms. [Note: for this to work, the random pad that was used in creating the WRF must be delivered to the recipient of the message. For it to be secure, it must be delivered encrypted since a clever attacker who knew the pad could do 2^24 trial encryptions to get 24 bits of the key and then do 2^40 trial decryptions to recover the rest.] Frequently Asked Questions: Q: Does this mean that the International Edition of Lotus Notes Release 4 is just as secure as the North American Edition against someone who does not know the U.S. Government's key. A: Almost. There are factors other than the 64 and 40 bit secret keys. The International Edition is still limited to 512 bit RSA keys when they are used for data confidentiality. The North American Edition uses 630 bit RSA keys in this context. While 512 bit RSA keys are considerably more secure than 40 bit secret keys, they are not as secure as 64 bit keys, so in both cases it would be more cost effective to attack the RSA keys than to attack the secret keys. In considering the security of the International Edition, users must also assess the likelihood that an attacker might learn the government's private key either by breaking through the government's protective mechanisms or by breaking the single RSA key. If either were to happen, the International Edition would become only as secure as other 40 bit products. Q: Does Lotus also have a copy of the private key used to reduce the workfactor from 64 to 40 bits? A: No. The U.S. government generated the RSA key and supplied us with the public component. We never had access to the private component (which made debugging this thing a real joy!). Q: How is this scheme different from Key Escrow? A: While one goal may be the same - to provide exportable strong cryptography - there are differences with respect to security, functionality, and administrative convenience. It is more secure than Key Escrow in that even if third parties misbehave, there remains a substantial workfactor in breaking each individual message. It may be more or less secure than Key Escrow depending on the policies of the holder of the U.S. government key compared to the policies of possible Key Escrow agents. It is less functional than some Key Escrow proposals because it is impractical to use this facility to recover lost keys. And it is more administratively convenient than key escrow because there is no communication with third parties necessary as part of setup. Notes is secure 'out of the box'. Q: Does this scheme address law enforcement concerns within the U.S. (i..e. should it be considered an alternative to Clipper)? A: No. In only one way does this scheme address the Law Enforcement interests of either U.S. or foreign governments: better information security helps Law Enforcement to guard against information-related crimes. As indicated by our continuing to go to considerable expense to maintain both domestic and international editions, we continue to oppose any limits on domestic use of strong cryptography.