Hello,
  1st off please don't publish my name on your site.  I'm too lazy to
set up another cheezy mail acct.
  Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from
your site.  I have a close friend who is a developer for Iris (the
people who make Notes for lotus.)  I sent him the file I downloaded and
asked him what the deal was, and here's his response:

Here's the necessary info to truly understand the issue here; a speech by Ray
Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is
that notes provides superior exportable encryption technology when compared to
other US products on the market. For anyone (but the NSA) to crack our
international encryption keys they must crack a 64 bit key, the same as with a
US encryption key. In the international version we take 24 of the 64 bit
encryption key and encrypt the 24 bits with the NSA's public key and send it,
encrypted strongly, along with the encrypted message. This means the NSA can
decrypt with their key and have 24 of the 64 bit key. They still have to break
the remaining 40 bits. 40 bit key encryption has been the max for exportable
encryption and that is what all other US exportable encryption providers 
allow.
That limit has just been raised to 56 bits and we are incorporating that as I
type. In the worst case: the NSA's private key is compromised, the 40 bit
portion of the key still must be cracked. So we haven't weakened the security 
of international encryption, but actually made it equal to the US security (to
everyone but the NSA). We are proud of this arrangement because we have found 
a way to make Notes as secure as the US government will allow for our
international customers. If we hadn't used this technique all of the
international notes encrypted data would be with only a 40 bit key. As it
stands, the 64 bit key used in both US and international encryption is 
extremely secure.

It's too bad the author of this article choose to attack Lotus Notes without
considering the options the US government provides. We could  have just 
shipped 40 bit encryption like MS, Netscape, etc. and leave our international 
customers with weak encryption but we didn't. Oh well, you can't make everyone 
understand, this confusing and frustrating stuff. I hope this helps.

-<deleted his name>

*** Prepared Remarks of Ray Ozzie,
*** President of Iris Associates
*** an affiliate of Lotus Development Corporation
*** Delivered at opening of the RSA Data Security Conference '96
***
<keynote>

SAN FRANCISCO, Jan. 17, 1996 -- As we're all painfully aware, the U.S.
government continues to maintain that cryptography should be
classified and controlled as a munition of war -- and for good
historical reason: Some of cryptography's finest hours have been
during past wars.
From the government's standpoint, the export controls implied by
munitions classification must be working very well, since there has
been no mass-deployed worldwide cryptography, most general
communications is still in cleartext, and no world of unbreakable
crypto has emerged.
In the meantime, while we're preoccupied by protecting the flow of
bits across borders, trouble is brewing. Criminals don't recognize
borders but operate in one wild-and-wolley network. Crackers are able
to attack targets halfway around the world with no fear of
prosecution. Exceptionally smart people in Eastern Europe crack
financial systems in New York.
Everywhere you look, bright, clever people are breaking into
communication systems, industrial control systems, transportation
systems, health care systems -- anything and everything that's
controlled by networked computers. And as you know, this isn't a
theoretical problem, or just a problem with clever people stealing
money from banks; it's a "clear and present danger" that's a direct
result of our having moved into the information age without adequately
securing our information and our global information systems.
This is not just an issue of signals Intelligence or of Title III
wiretaps or of lost software industry profits; this is a public safety
issue.
One of these days, someone is going to bring down an airliner
somewhere in the world, or cause a train wreck, or destabilize an
economy, by breaking into an information system through the worldwide
net. And it may be something that we could have prevented, if we had
been making more casual and widespread use of cryptography.
And that's why I, and a number of you, spend so much time trying to
change the system -- trying to educate, to help convince the U.S.
Government to liberalize export controls, to allow our customers
worldwide to have access to good security, to protect themselves
against the threats present on the worldwide networks.
To be sure, the customers are getting more and more astute. Due in
large part to the press surrounding the cracking of a few 40-bit RC4
keys last year, our customers have lost confidence in 40-bit crypto.
They told us that, if we were going to continue to market 40-bit Lotus
Notes overseas, we should stop marketing it as a secure system -- that
we should start to call it "data scrambling" or "data masking" instead
of encryption. And so we have continued to lobby, arguing that the
benefits of substantially better exportable crypto outweigh the risks.
The government's response? Well, their latest proposal might -- in
theory -- allow us to ship a 64-bit product overseas so long as it had
third-party key escrow features built in. We talked to our customers
about the administration's proposal, and the answer was very clear:
our customers have said a resounding "no" to key escrow in Lotus
Notes.
They simply don't like the notion that they can't compute the
additional risk and liability introduced by a third party holding the
keys to unlock their data. Well, that left us in a bind.
We need to provide better security for our international customers,
but the government's proposal was clearly unacceptable to them.
And because I didn't see a "silver bullet" solution -- or general
export relief -- in the cards, I began looking for an interim solution
that might allow us to ship a more secure product in the short term,
while we continued to argue for substantial revision of national
cryptography policy.
And after months of negotiation, I'm here to announce that we have
found a short-term workaround to the problem, which I hope you will
find to be an interesting, new development in the area of cryptography
as it pertains to export controls.
While this is a very tough issue, and while I personally believe that
a world of widespread cryptography is truly inevitable, the name of
the game right now is to find a compromise solution that satisfies the
stated needs of the U.S. Government, while still providing good
information security.
This is just such a compromise.
Lotus Notes Release 4, which is now shipping, utilizes a new method of
security that we're referring to as "Differential Workfactor
Cryptography." It is a conceptually simple solution that addresses two
problems at the same time: First, it protects sensitive corporate
information from most malicious crackers far more effectively than
previously exported products; second, it permits the government to
retain its current level of access to encrypted information carried by
U.S. products overseas.
No more access, no less access.
As you know, the U.S. government has defined its "maximum tolerance
level" for exportable unescrowed cryptography at 40 bits. That is,
because they generally permit the export of 40-bit products, the U.S.
government is clearly already willing to deal with a 40-bit work
factor in order to examine encrypted communications outside of this
country.
So, the system that we're shipping in Lotus Notes Release 4 overseas
is one that presents different work factors to different parties,
hence the name.
Against crackers -- against the run-of-the-mill adversary trying to
break a message -- the work factor is 64 bits, just like it is in the
U.S. That is, in the new International Edition of Lotus Notes, bulk
data keys are now 64 bits just as they are in our North American
Edition that's sold in the U.S. and Canada.
But when the U.S. Government needs access to a communications stream
overseas encoded by the international edition of Lotus Notes, they are
no worse off - and no better off - than they are today - they have to
crack 40 bits.
So how can this be true, when the work factor is 64 bits for
non-governmental adversaries? It's pretty simple. We asked the
government to generate a special RSA key pair, and to make known their
RSA Public Key. We asked them to keep their private key classified,
compartmentalized -- as secret as they'd keep the keys to their own
military and diplomatic communication systems -- and to never disclose
it to anyone.
Then, we changed Notes so that whenever the product generates an
encrypted 64-bit bulk data key, bound to that key is a small package
-- a "workfactor reduction field" -- containing 24 bits of the bulk
data key encrypted with the U.S. government's public key. So the U.S.
government has exclusive access to 24 of the 64 bits.
That's 64 bits against the cracker, 40 bits for the government.
And, of course, this version of Notes is fully interoperable with the
North American Edition of Notes, the only version that we sell in the
United States.
In the North American Edition, as always, keys generated for
communications within the U.S. and Canada aren't subject to any kind
of work factor reduction. And both the North American Edition and the
International Edtion are shipping today.
We are very pleased that we are now able to offer this increased level
of security to our overseas customers. And I encourage you out there
-- product designers and developers who are in a similar bind -- to
offer stronger confidentiality features to your customers in your
exported products by taking advantage of our already having negotiated
export approval for this Differential Workfactor implementation.
But please make no mistake about it: We fully recognize that this is a
compromise solution. This is not a panacea. This is not the "silver
bullet" that addresses all needs.
We continue to argue vigorously that global and national economic
security, domestic law enforcement related to Information security
crimes, and personal privacy concerns would all be served well by the
rapid and broad, worldwide proliferation of good, strong, high-grade
cryptography. And we continue to push for a complete and public review
of national cryptography policy.
But we relish the fact that, in today's highly-charged political
climate surrounding the issue of cryptography, we were able to
negotiate a solution that increases information security for our
worldwide customers. By throwing another potential solution into the
mix -- by leading the way for others by clearing its export approval
-- we hope that this stirs debate related to national cryptography
policy.
A debate that is both global and local in nature; a debate that, with
your help, we can hopefully bring to the attention of the U.S Public.
Updated: 01/17/96 01:14:15 PM
</keynote>

***
*** White Paper by Charlie Kaufman, distributed at the RSA '96
conference
***

<whitepaper>


Differential Workfactor Cryptography

Charlie Kaufman
Security Architect
Iris Associates

January 17, 1996

Abstract: This document describes the technical approach behind the
exportable strong cryptography included in Lotus Notes Release 4
(International Edition). Current U.S. export regulations generally prohibit
the export of cryptographic software that uses keys larger than 40 bits,
but advances in processor technology make 40 bit keys breakable by
exhaustive search practical for a growing collection of potential
attackers. In a novel scheme we sometimes refer to as 64/40, we provide
the cryptographic strength of 64 bit keys against most attackers while to
comply with export regulations we make the workfactor for breaking the
system equivalent to only 40 bits for the U.S. government. We do that
by encrypting 24 of the 64 bits under a public RSA key provided by the
U.S. government and binding the encrypted partial key to the encrypted data.

Background: As we're all painfully aware, the U.S. government continues
to maintain that cryptography should be classified and controlled as a
munition of war. There is a long historical basis for this - some of
cryptography's finest hours have been during the wars of the past. And
while some would argue that export controls are a sham because many
foreign governments impose no such restrictions and we participate in an
international marketplace, by one very important measure export controls
have been a success: no mass-deployed worldwide cryptography has emerged
and most general communications is still in cleartext.

But while the government has been successfully defending its ability to
spy, trouble has been brewing. Criminals don't recognise borders -
there's
only one wild and wooly network. Crackers are able to attack targets
halfway around the world with no fear of prosecution. Smart people in
Eastern Europe crack financial systems in New York. Everywhere you
look, bright clever people are breaking into communication systems,
industrial control systems, transportation systems, health care systems, 
anything and everything that's controlled by networked computers. This is 
not a theoretical problem, or just a problem with clever people stealing
money from banks; it's a clear and present danger that's a direct result of
the fact that we've moved into the information age without adequately
securing our global information systems.

Lotus Notes has been a pioneer in providing transparent strong RSA based
cryptography in its product offering. It went to great lengths to provide
the strongest protection legally permissable. There is an International
Edition that complies with export regulations and a domestic edition that
does not (called the North American Edition because it is legally available
in the U.S. and Canada). In the International Edition, users use two RSA
key pairs - one used to protect data integrity and authentication and
another (shorter) one to protect data confidentiality because only data
confidentiality key sizes are regulated by export controls. Full
interoperability between the North American and International Editions is
achieved by having the two ends negotiate down to the largest key size that
both ends support. This design came at no small cost, but it was the only
way we could deliver the best security possible to each of our customers
given the existing regulatory climate.

Differential Workfactor Cryptography is another innovation in the direction
of giving our customers the best security we can while continuing to oppose
the regulations that make the complexity necessary.

How it works: The idea behind Differential Workfactor Cryptography is
simple; whenever a bulk data key is created, a 64 bit random number is
chosen. If the use of that key is one involving data confidentiality and
the International Edition of Notes, 24 of the bits are encrypted under a
public RSA key that was provided to us by the U.S. government and the
result - called a Workfactor Reduction Field - is bound into the encrypted
data. There is no Workfactor Reduction Field in data used only by the
domestic edition of Notes, and there is none for keys that are not used
for data confidentiality (e.g. those used for authentication).

If an attacker wanted to break into a Notes system based on information
obtained by eavesdropping, he would have to exhaustively search a 64 bit
key space. Even the U.S. government would face this workfactor because
there is no Workfactor Reduction Field in keys used for authentication.
An attacker who wanted to read an encrypted document that was either read
from a server or eavesdropped from the wire would face a 64 bit workfactor.
But if the U.S. government needed to decrypt such a document it could
obtain 24 of the bits using its private key and the Workfactor Reduction Field
and then exhaustively search a 40 bit key space.

Tamper resistance: You might wonder what's to prevent someone from deleting
the Workfactor Reduction Field from a document or the setup protocol of a
network connection. This is similar to the problem faced in the Clipper
design to assure that the LEAF field was not removed from a conversation.
In a software only implementation, it is not possible to prevent tampering
entirely. The easiest form of tampering would be to smuggle the North
American Edition CD out of the U.S. or pass it to someone over the
Internet. The best a software implementation can do in terms of tamper
resistance is to make it impossible to remove the Workfactor Reduction
Field without modifying both the source of the data and the destination..
This can be done by having the destination check for the presence of the
Workfactor Reduction Field and refuse to decrypt the data if it is not
there or not correct. The destination can't decrypt the Workfactor
Reduction Field to check it, but knowing the bulk data key and the
government public key, it can regenerate the WRF and compare the result
with the supplied value. RSA has the convenient property that the same
value encrypted twice produces the same result; it would be somewhat more
complex (but still possible) to duplicate this functionality with other
public key algorithms. [Note: for this to work, the random pad that was
used in creating the WRF must be delivered to the recipient of the message.
For it to be secure, it must be delivered encrypted since a clever attacker
who knew the pad could do 2^24 trial encryptions to get 24 bits of the key
and then do 2^40 trial decryptions to recover the rest.]



Frequently Asked Questions:

Q: Does this mean that the International Edition of Lotus Notes Release 4
is just as secure as the North American Edition against someone who does
not know the U.S. Government's key.

A: Almost. There are factors other than the 64 and 40 bit secret keys.
The International Edition is still limited to 512 bit RSA keys when they
are used for data confidentiality. The North American Edition uses 630 bit
RSA keys in this context. While 512 bit RSA keys are considerably more
secure than 40 bit secret keys, they are not as secure as 64 bit keys, so in
both cases it would be more cost effective to attack the RSA keys than to
attack the secret keys. In considering the security of the International
Edition, users must also assess the likelihood that an attacker might learn the
government's private key either by breaking through the government's
protective mechanisms or by breaking the single RSA key. If either were
to happen, the International Edition would become only as secure as other
40 bit products.

Q: Does Lotus also have a copy of the private key used to reduce the
workfactor from 64 to 40 bits?

A: No. The U.S. government generated the RSA key and supplied us with
the public component. We never had access to the private component (which
made debugging this thing a real joy!).

Q: How is this scheme different from Key Escrow?

A: While one goal may be the same - to provide exportable strong
cryptography - there are differences with respect to security,
functionality, and administrative convenience. It is more secure than
Key Escrow in that even if third parties misbehave, there remains a
substantial workfactor in breaking each individual message. It may be 
more or less secure than Key Escrow depending on the policies of the 
holder of the U.S. government key compared to the policies of possible 
Key Escrow agents.  It is less functional than some Key Escrow proposals 
because it is impractical to use this facility to recover lost keys. And 
it is more administratively convenient than key escrow because there is no 
communication with third parties necessary as part of setup. Notes is 
secure 'out of the box'.

Q: Does this scheme address law enforcement concerns within the U.S.
(i..e.  should it be considered an alternative to Clipper)?

A: No. In only one way does this scheme address the Law Enforcement
interests of either U.S. or foreign governments: better information
security helps Law Enforcement to guard against information-related crimes.
As indicated by our continuing to go to considerable expense to maintain
both domestic and international editions, we continue to oppose any
limits on domestic use of strong cryptography.

</whitepaper>