[A-List] Only NSA can listen, so that's OK

[Bill Totten <shimogamo@xxxxxxxxxxxxx>]

Export version of Lotus Notes provides trapdoor for NSA.

by Duncan Campbell (01.06.1999)

Telepolis

Giant US software manufacturer Lotus has been lowering the profile of
information about how they have installed an NSA-only trapdoor into e-mail 
and conference systems used by many European governments, including the German
Ministry of Defence, the French Ministry of Education and Research and the
Ministry of Education in Latvia.


Last week in Brussels, Lotus staged a lavish "Global Government Forum" to try
and gain more government customers for its software. They succeeded in striking
a new 500,000 user deal with the Russian Ministry of Higher and Professional
Education for the development of a new information infrastructure for the
Russian education system. Yet another conference, Lotus Eurosphere '99, 
will be held in Berlin in October.

Lotus claims that its systems are inherently more secure than those from its
main rival, Microsoft. However, although details of how the NSA trapdoor works
can still be found in some corners of the web {1}, the key technical papers 
and press releases which reveal how Lotus worked with NSA to build a special
trapdoor into the International Edition of Lotus Notes have disappeared from 
the web.

Visitors to the security pages on Lotus's website {2} are now told that the
export version of Lotus Notes uses "a system approved by the US government
called "Workgroup Differential" and "encrypt(s) information using 64 bit keys".

The name "Workgroup Differential" is meaningless. The correct title is
"Differential Workfactor Cryptography". The "differential workfactor" means 
that the US National Security Agency can break the code on Lotus Notes private
messages sixteen million times faster than anyone else.

How "Differential Workfactor Cryptography" works was revealed by Lotus itself
three years ago. Although the documents concerned have now disappeared from the
web, Telepolis has obtained copies.

In a keynote speech to the RSA Data Security Conference on 17 January 1996, Ray
Ozzie, President of Lotus designers Iris Associates revealed how Lotus had come
to terms with American government export controls, which prohibited the export
of cryptographic systems with a key length over forty bits.

He told them that no-one regarded this as secure:

"Our customers have lost confidence in forty-bit crypto. They told us that, if
we were going to continue to market forty-bit Lotus Notes overseas, we should
stop marketing it as a secure system - that we should start to call it "data
scrambling" or "data masking" instead of encryption."


Lotus's answer was a system that let NSA easily read foreign users' e-mail,
while improving security against other eavesdroppers. In a paper distributed to
the RSA conference, Security Project Leader Charles Kaufman explained in detail
how the system worked.

When sending e-mail messages, Lotus uses a 64 bit key. But in export editions,
24 bits of the key are broadcast with the message, reducing the effective key
length to forty bits. The 24 bits are encrypted using a public key created by
the NSA. This is called the Workfactor Reduction Field. Only NSA can decrypt the
information in the Workfactor Reduction Field. Once the key length is reduced to
forty bits, fast modern computers can break the code in seconds or minutes.


Only Americans could think that this was an advantage for the Lotus system.


In 1996, Kaufman also revealed that Notes had to be weakened even further to
prevent users from simply removing the NSA backdoor from being sent along with
their messages. To prevent foreign users tampering with the workfactor reduction
field, the International Edition of Lotus Notes will refuse to decipher any
message which does not contain the correct field. To check this means that the
entire key to the message has to be transmitted in the message. The recipient's
software then checks that the workfactor reduction field is present and correct.
The fact that the full key is sent along with the message creates the
possibility of a second backdoor, reducing further.

Since these papers were presented openly, European governments have become 
aware of the enormous scale of communications monitoring by the NSA, and by 
the Echelon {3} network in particular. The loophole in Lotus Notes made front
page news in Sweden in November 1997. Although the company did not deny the
allegation, they claimed that the American government would not "misuse" them.

Since the row in Sweden, both Lotus and RSA have removed the 1996 papers 
from their web sites. Another Lotus employee claimed "we haven't weakened 
the security of international encryption, but actually made it equal to the 
US security (to everyone but the NSA). We are proud of this arrangement" 
(our emphasis).

Only Americans could think that this was an advantage for the Lotus system. 
From the European perspective, the greatest threat may be economic and political
espionage by NSA. With Lotus bent on increasing its markets in Europe, there
must be serious questions about whether users are being told the whole truth
about security.
	  	  	

Notes:

{1} See IBM Redbook, Page 80 at
http://www.redbooks.ibm.com/abstracts/sg245341.html

{2} http://www-142.ibm.com/software/sw-lotus/home.nsf/welcome/security

{3} http://www.heise.de/tp/r4/artikel/2/2889/1.html


Copyright (c) Heise Zeitschriften Verlag

http://www.heise.de/tp/r4/artikel/2/2898/1.html



http://www.billtotten.blogspot.com
http://www.ashisuto.co.jp