[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FWD: Sweden learns of US trap door in Lotus Notes
- To: debate@fitug.de
- Subject: FWD: Sweden learns of US trap door in Lotus Notes
- From: Josef Dietl <jdietl@w3.org>
- Date: Mon, 19 Jan 1998 11:38:42 +0100
- Comment: This message comes from the debate mailing list.
- Sender: owner-debate@fitug.de
Ein Bericht über die Anekdote, die ich am Do abend erzählte...
Anonymisiert. Viel Spaß :-)
Josef
>From:
>Subject: FWD: Sweden learns of US trap door in Lotus Notes
>
>>------- Forwarded Message
>>Date: Fri, 2 Jan 1998 12:13:37 -0500 (EST)
>>From:
>>To:
>>Subject: FWD: Sweden learns of US trap door in Lotus Notes
>>
>>
>>[Some details below are misleading. As I understand it, each message sent
>>internationally contains within it most of the key used to encrypt the
>>message proper and this key information is encrypted under a private key
>>provided to Lotus by the US Government. Thus, no key is "escrowed" with or
>>given to anyone. It is just that if the US Government want to break the
>>security on a Lotus Notes message, it can look into the message and using
the
>>key corresponding to the one it provided Lotus, it can reduce the work
factor
>>it needs to perform down to only 40 bits of brute forcing. --****]
>>
>>Date: Wed, 31 Dec 1997 14:35:57 -0500
>>From:
>>Subject: RISKS 19.52: The Key Escrow Shoe Drops in Sweden...
>>
>>Forwarded from Risks digest, by way of Nev Dull:
>>
>>Date: Tue, 23 Dec 1997 22:15:31 -0500
>>From: Win Treese <treese@OpenMarket.com>
>>Subject: The Swedes discover Lotus Notes has key escrow!
>>
>>My colleague Bill Nilson brought this to my attention. Below is his
>>translation of a story from a Swedish newspaper. [Original Swedish
>>truncated, but is available on request. PGN]
>>
>>The article describes the reaction when various people in the Swedish
>>government learned that the Lotus Notes system they were using includes key
>>escrow. They were apparently unaware of this until Notes was in use by
>>thousands of people in government and industry.
>>
>>Besides being an interesting reaction to key escrow systems, this incident
>>reminds us that one should understand the real security of a system....
>>
>> Secret Swedish E-Mail Can Be Read by the U.S.A.
>> Fredrik Laurin, Calle Froste, *Svenska Dagbladet*, 18 Nov 1997
>>
>>One of the world's most widely used e-mail programs, the American Lotus
>>Notes, is not so secure as most of its 400,000 to 500,000 Swedish users
>>believe. To be sure, it includes advanced cryptography in its e-mail
>>function, but the codes that protect the encryption have been surrendered to
>>American authorities. With them, the U.S. government can decode encrypted
>>information. Among Swedish users are 349 parliament members, 15,000 tax
>>agency employees, as well as employees in large businesses and the defense
>>department. ``I didn't know that our Notes keys were deposited (with the
>>U.S.). It was interesting to learn this,'' says Data Security Chief Jan
>>Karlsson at the [Swedish] defense department. Gunnar Grenfors, Parliament
>>director and daily e-mail user, says, ``I didn't know about this--here we
>>handle sensitive information concerning Sweden's interests, and we should
>>not leave the keys to this information to the U.S. government or anyone
>>else. This must be a basic requirement.''
>
>>
>>Sending information over the Internet is like sending a postcard--it's that
>>simple to read these communications. When e-mail is encrypted, it becomes
>>unintelligible for anyone who captures it during transport. Only those who
>>have the right codes or raw computer power to break the encryption can read
>>it. For crime prevention and national security reasons, the United States
>>has tough regulations concerning the level of crytography that may be
>>exported. Both large companies and intelligence agencies can already--in a
>>fractions of a second--break the simpler cryptographic protections. For the
>>world-leading American computer industry, cryptographic export controls are
>>therefore an ever greater obstacle. This slows down utilization of the
>>Internet by businesses because companies outside the U.S.A. do not dare to
>>send important information over the Internet. On the other hand, the
>>encryption that may be used freely within the U.S.A. is substantially more
>>secure.
>>
>>Lotus, a subsidiary of the American computer giant IBM, has negotiated a
>>special solution to the problem. Lotus gets to export strong cryptography
>>with the requirement that vital parts of the secret keys are deposited with
>>the U.S. government. ``The difference between the American Notes version
>>and the export version lies in degrees of encryption. We deliver 64 bit
>>keys to all customers, but 24 bits of those in the version that we deliver
>>outside of the United States are deposited with the American government.
>>That's how it works today,'' says Eileen Rudden, vice president at Lotus.
>>
>>Those 24 bits are critical for security in the system. 40-bit encryption is
>>broken by a fast computer in several seconds, while 64 bits is much more
>>time-consuming to break if one does not have the 24 bits [table omitted].
>>Lotus cannot answer as to which authorities have received the keys and what
>>rules apply for giving them out. The company has confidence that the
>>American authorities responsible for this have full control over the keys
>>and can ensure that they will not be misused.
>>
>>On the other hand, this (assurance) does not matter to Swedish companies.
>>On the contrary, there is a growing understanding that it would be an
>>unacceptable security risk to place the corporation's own ``master key'' in
>>the hands of foreign authorities. Secret information can leak or be spread
>>through, for example, court decisions in other countries. These concerns
>>are demonstrated clearly in a survey by the SAF Trade and Industry security
>>delegation. Some 60 companies answered the survey. They absolutely do not
>>want keys deposited in the U.S.A. It is business secrets they are
>>protecting. These corporations fear that anyone can get a hold of this
>>information, states Claes Blomqvist at SAF.
>>
>>Swedish businesses are also afraid of leaks within the American authorities.
>>The security chief at SKF, Lars Lungren, states: ``If one has a lawful
>>purpose for having control over encryption, it isn't a problem. But the
>>precept is flawed: They ought to monitor (internally), but the Americans now
>>act as if there are no crooks working within their authorities.''
>
>>
>>In some countries, intelligence agencies clearly have taken a position on
>>their country's trade and industry. Such is the case in France. One
>>example, which French authorities chose to publicize, was in 1995 when five
>>CIA agents were deported after having spied on a French telecommunications
>>company.
>>
>>Win Treese <treese@openmarket.com>
>>
>> [The Lotus Notes crypto scheme is one that I have familiarly been
>> calling ``64 40 or fight!'' (in a reference to a slogan for an early
>> U.S. election campaign border-dispute issue many years ago. PGN]
>>
>>------- End of Forwarded Message
--
Josef Dietl jdietl@w3.org
W3C/INRIA +33 (0) 4 93 65 79 72
BP 93 +33 (0) 4 93 65 78 22 (Fax)
F-06902 Sophia-Antipolis Cedex (dial 0 in France, skip it if
France calling from abroad)