7/17/13

Only NSA can listen, so that's OK | Telepolis (Print)

OnlyNSAcanlisten,sothat'sOK
DuncanCampbell01.06.1999

ExportversionofLotusNotesprovidestrapdoorforNSA.
GiantUSsoftwaremanufacturerLotushasbeenloweringtheprofileof informationabouthowtheyhaveinstalledanNSAonlytrapdoorintoemail andconferencesystemsusedbymanyEuropeangovernments,includingthe GermanMinistryofDefence,theFrenchMinistryofEducationandResearch andtheMinistryofEducationinLatvia.

LastweekinBrussels,Lotusstagedalavish"GlobalGovernmentForum"totryand
gainmoregovernmentcustomersforitssoftware.Theysucceededinstrikinganew 500,000userdealwiththeRussianMinistryofHigherandProfessionalEducationfor thedevelopmentofanewinformationinfrastructurefortheRussianeducationsystem. Yetanotherconference,LotusEurosphere'99,willbeheldinBerlininOctober. Lotusclaimsthatitssystemsareinherentlymoresecurethanthosefromitsmainrival, Microsoft. However,althoughdetailsofhowtheNSAtrapdoorworkscanstillbefoundinsome cornersoftheweb(seeIBMRedbook,Page80 [1]),thekeytechnicalpapersandpress releaseswhichrevealhowLotusworkedwithNSAtobuildaspecialtrapdoorintothe InternationalEditionofLotusNoteshavedisappearedfromtheweb. VisitorstothesecuritypagesonLotus'swebsite [2]arenowtoldthattheexport versionofLotusNotesuses"asystemapprovedbytheUSgovernmentcalled "WorkgroupDifferential"and"encrypt(s)informationusing64bitkeys". Thename"WorkgroupDifferential"ismeaningless.Thecorrecttitleis"Differential WorkfactorCryptography".The"differentialworkfactor"meansthattheUSNational SecurityAgencycanbreakthecodeonLotusNotesprivatemessages16milliontimes fasterthananyoneelse. How"DifferentialWorkfactorCryptography"workswasrevealedbyLotusitself threeyearsago.Althoughthedocumentsconcernedhavenowdisappearedfromthe web,Telepolishasobtainedcopies. InakeynotespeechtotheRSADataSecurityConferenceon17January1996,Ray Ozzie,PresidentofLotusdesignersIrisAssociatesrevealedhowLotushadcometo termswithAmericangovernmentexportcontrols,whichprohibitedtheexportof cryptographicsystemswithakeylengthover40bits. Hetoldthemthatnooneregardedthisassecure:

www.heise.de/tp/druck/mb/artikel/2/2898/1.html

1/3

7/17/13

Only NSA can listen, so that's OK | Telepolis (Print)

"Ourcustomershavelostconfidencein40bitcrypto.Theytoldusthat,ifwewere goingtocontinuetomarket40bitLotusNotesoverseas,weshouldstopmarketing itasasecuresystemthatweshouldstarttocallit"datascrambling"or"data masking"insteadofencryption".

Lotus'sanswerwasasystemthatletNSAeasilyreadforeignusers'email,while
improvingsecurityagainstothereavesdroppers.InapaperdistributedtotheRSA conference,SecurityProjectLeaderCharlesKaufmanexplainedindetailhowthe systemworked. Whensendingemailmessages,Lotususesa64bitkey.Butinexporteditions,24bits ofthekeyarebroadcastwiththemessage,reducingtheeffectivekeylengthto40bits. The24bitsareencryptedusingapublickeycreatedbytheNSA.Thisiscalledthe WorkfactorReductionField.OnlyNSAcandecrypttheinformationinthe WorkfactorReductionField.Oncethekeylengthisreducedto40bits,fastmodern computerscanbreakthecodeinsecondsorminutes. In1996,KaufmanalsorevealedthatNoteshadtobe weakenedevenfurthertopreventusersfromsimply removingtheNSAbackdoorfrombeingsentalong withtheirmessages.Topreventforeignusers tamperingwiththeworkfactorreductionfield,the InternationalEditionofLotusNoteswillrefuseto decipheranymessagewhichdoesnotcontainthecorrectfield.Tocheckthismeans thattheentirekeytothemessagehastobetransmittedinthemessage.Therecipient's softwarethenchecksthattheworkfactorreductionfieldispresentandcorrect.The factthatthefullkeyissentalongwiththemessagecreatesthepossibilityofasecond backdoor,reducingfurther.
OnlyAmericanscould thinkthatthiswasan advantagefortheLotus system.

Sincethesepaperswerepresentedopenly,Europeangovernmentshavebecomeaware oftheenormousscaleofcommunicationsmonitoringbytheNSA,andbytheEchelon network [3]inparticular.TheloopholeinLotusNotesmadefrontpagenewsin SwedeninNovember1997.Althoughthecompanydidnotdenytheallegation,they claimedthattheAmericangovernmentwouldnot"misuse"them.

SincetherowinSweden,bothLotusandRSAhaveremovedthe1996papersfrom
theirwebsites.AnotherLotusemployeeclaimed"wehaven'tweakenedthesecurityof internationalencryption,butactuallymadeitequaltotheUSsecurity(toeveryone buttheNSA).Weareproudofthisarrangement"(ouremphasis). OnlyAmericanscouldthinkthatthiswasanadvantagefortheLotussystem.Fromthe Europeanperspective,thegreatestthreatmaybeeconomicandpoliticalespionageby NSA.WithLotusbentonincreasingitsmarketsinEurope,theremustbeserious questionsaboutwhetherusersarebeingtoldthewholetruthaboutsecurity.

Anhang Links

www.heise.de/tp/druck/mb/artikel/2/2898/1.html

2/3

7/17/13

Only NSA can listen, so that's OK | Telepolis (Print)

[1] http://www.redbooks.ibm.com/abstracts/sg245341.html [2] http://www.lotus.com/home.nsf/welcome/security [3] http://www.heise.de/tp/artikel/2/2889/1.html

ArtikelURL:http://www.heise.de/tp/artikel/2/2898/1.html CopyrightTelepolis,HeiseZeitschriftenVerlag

www.heise.de/tp/druck/mb/artikel/2/2898/1.html

3/3