More on fortifying Lotus Notes

[Paul Crowley]

Ian BROWN <I.Brown@cs.ucl.ac.uk> writes:
> Paul Crowley wrote:
> >Is that because Lotus has been engineered such that it's harder to
> >reverse-engineer or modify?  Because presumably if we could find
> >where the NSA's public key is stored in the binary, a Lotus-Fortify
> >program could replace it with a randomly-generated one for which the
> >private key has been discarded?
> 
> "Playing hide and seek with stored keys" by Adi Shamir and Nicko van
> Someren describes how to use the high entropy of keys compared to
> program instructions and data to find an embedded key...
> 
> http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf

I've finally fetched and read this paper, and it seems to be pretty
straightforward to implement.  A few questions:

* What legal hurdles stand in the way of (a) using a bunch of tools to
search the binary files that come with Notes to find the embedded
public key, (b) publishing the key, and (c) writing a program to find
the key and scramble it?

* How do I tell when I've found it? Do we have an example of plaintext
and ciphertext encrypted with this key, do we know what public key
algorithm they use and what key formats that might imply?

* What should be done to the key once it's found?  Is it sufficient to 
replace most of it with random noise, or is it important that it be
replaced with a real key?

cheers,
-- 
  __
\/ o\ paul@hedonism.demon.co.uk  http://www.hedonism.demon.co.uk/paul/ \ /
/\__/ Paul Crowley            Upgrade your legacy NT machines to Linux /~\