More on fortifying Lotus Notes

[Duncan Campbell]

There is only one NSA public key for all of Lotus IE, wherever, SFAIK.

The Lotus position on preventing tampering with the WRF, as follows

"You might wonder what's to prevent someone from deleting the Workfactor 
Reduction Field from a document or the setup protocol of a network 
connection. This is similar to the problem faced in the Clipper design to 
assure that the LEAF field was not removed from a conversation.

In a software only implementation, it is not possible to prevent tampering 
entirely. The easiest form of tampering would be to smuggle the North 
American Edition CD out of the U.S. or pass it to someone over the 
Internet. The best a software implementation can do in terms of tamper 
resistance is to make it impossible to remove the Workfactor Reduction 
Field without modifying both the source of the data and the destination.. 
This can be done by having the destination check for the presence of the 
Workfactor Reduction Field and refuse to decrypt the data if it is not 
there or not correct.

The destination can't decrypt the Workfactor Reduction Field to check it, 
but knowing the bulk data key and the government public key, it can 
regenerate the WRF and compare the result with the supplied value. RSA has 
the convenient property that the same value encrypted twice produces the 
same result; it would be somewhat more complex (but still possible) to 
duplicate this functionality with other public key algorithms. [Note: for 
this to work, the random pad that was used in creating the WRF must be 
delivered to the recipient of the message. For it to be secure, it must be 
delivered encrypted since a clever attacker who knew the pad could do 2^24 
trial encryptions to get 24 bits of the key and then do 2^40 trial 
decryptions to recover the rest.]"

Another Lotus NSA-friendly point :  The International Edition is limited to 
512 bit RSA keys for data confidentiality (ie, the session generating and 
passing the bulk data key.

Duncan