Professional Documents
Culture Documents
Export Version of Lotus Notes Provides Trapdoor For NSA
Export Version of Lotus Notes Provides Trapdoor For NSA
Export Version of Lotus Notes Provides Trapdoor For NSA
OnlyNSAcanlisten,sothat'sOK
DuncanCampbell01.06.1999
ExportversionofLotusNotesprovidestrapdoorforNSA.
GiantUSsoftwaremanufacturerLotushasbeenloweringtheprofileof informationabouthowtheyhaveinstalledanNSAonlytrapdoorintoemail andconferencesystemsusedbymanyEuropeangovernments,includingthe GermanMinistryofDefence,theFrenchMinistryofEducationandResearch andtheMinistryofEducationinLatvia.
LastweekinBrussels,Lotusstagedalavish"GlobalGovernmentForum"totryand
gainmoregovernmentcustomersforitssoftware.Theysucceededinstrikinganew 500,000userdealwiththeRussianMinistryofHigherandProfessionalEducationfor thedevelopmentofanewinformationinfrastructurefortheRussianeducationsystem. Yetanotherconference,LotusEurosphere'99,willbeheldinBerlininOctober. Lotusclaimsthatitssystemsareinherentlymoresecurethanthosefromitsmainrival, Microsoft. However,althoughdetailsofhowtheNSAtrapdoorworkscanstillbefoundinsome cornersoftheweb(seeIBMRedbook,Page80 [1]),thekeytechnicalpapersandpress releaseswhichrevealhowLotusworkedwithNSAtobuildaspecialtrapdoorintothe InternationalEditionofLotusNoteshavedisappearedfromtheweb. VisitorstothesecuritypagesonLotus'swebsite [2]arenowtoldthattheexport versionofLotusNotesuses"asystemapprovedbytheUSgovernmentcalled "WorkgroupDifferential"and"encrypt(s)informationusing64bitkeys". Thename"WorkgroupDifferential"ismeaningless.Thecorrecttitleis"Differential WorkfactorCryptography".The"differentialworkfactor"meansthattheUSNational SecurityAgencycanbreakthecodeonLotusNotesprivatemessages16milliontimes fasterthananyoneelse. How"DifferentialWorkfactorCryptography"workswasrevealedbyLotusitself threeyearsago.Althoughthedocumentsconcernedhavenowdisappearedfromthe web,Telepolishasobtainedcopies. InakeynotespeechtotheRSADataSecurityConferenceon17January1996,Ray Ozzie,PresidentofLotusdesignersIrisAssociatesrevealedhowLotushadcometo termswithAmericangovernmentexportcontrols,whichprohibitedtheexportof cryptographicsystemswithakeylengthover40bits. Hetoldthemthatnooneregardedthisassecure:
www.heise.de/tp/druck/mb/artikel/2/2898/1.html
1/3
7/17/13
Lotus'sanswerwasasystemthatletNSAeasilyreadforeignusers'email,while
improvingsecurityagainstothereavesdroppers.InapaperdistributedtotheRSA conference,SecurityProjectLeaderCharlesKaufmanexplainedindetailhowthe systemworked. Whensendingemailmessages,Lotususesa64bitkey.Butinexporteditions,24bits ofthekeyarebroadcastwiththemessage,reducingtheeffectivekeylengthto40bits. The24bitsareencryptedusingapublickeycreatedbytheNSA.Thisiscalledthe WorkfactorReductionField.OnlyNSAcandecrypttheinformationinthe WorkfactorReductionField.Oncethekeylengthisreducedto40bits,fastmodern computerscanbreakthecodeinsecondsorminutes. In1996,KaufmanalsorevealedthatNoteshadtobe weakenedevenfurthertopreventusersfromsimply removingtheNSAbackdoorfrombeingsentalong withtheirmessages.Topreventforeignusers tamperingwiththeworkfactorreductionfield,the InternationalEditionofLotusNoteswillrefuseto decipheranymessagewhichdoesnotcontainthecorrectfield.Tocheckthismeans thattheentirekeytothemessagehastobetransmittedinthemessage.Therecipient's softwarethenchecksthattheworkfactorreductionfieldispresentandcorrect.The factthatthefullkeyissentalongwiththemessagecreatesthepossibilityofasecond backdoor,reducingfurther.
OnlyAmericanscould thinkthatthiswasan advantagefortheLotus system.
SincetherowinSweden,bothLotusandRSAhaveremovedthe1996papersfrom
theirwebsites.AnotherLotusemployeeclaimed"wehaven'tweakenedthesecurityof internationalencryption,butactuallymadeitequaltotheUSsecurity(toeveryone buttheNSA).Weareproudofthisarrangement"(ouremphasis). OnlyAmericanscouldthinkthatthiswasanadvantagefortheLotussystem.Fromthe Europeanperspective,thegreatestthreatmaybeeconomicandpoliticalespionageby NSA.WithLotusbentonincreasingitsmarketsinEurope,theremustbeserious questionsaboutwhetherusersarebeingtoldthewholetruthaboutsecurity.
Anhang Links
www.heise.de/tp/druck/mb/artikel/2/2898/1.html
2/3
7/17/13
ArtikelURL:http://www.heise.de/tp/artikel/2/2898/1.html CopyrightTelepolis,HeiseZeitschriftenVerlag
www.heise.de/tp/druck/mb/artikel/2/2898/1.html
3/3