More on fortifying Lotus Notes

William H. Geiger III whgiii at openpgp.net
Tue, 08 Jun 1999 01:56:48 -0500 

-----BEGIN PGP SIGNED MESSAGE-----

In <87emjpxbd1.fsf@hedonism.demon.co.uk>, on 06/06/99 
   at 10:33 PM, Paul Crowley <paul@hedonism.demon.co.uk> said:

>lists@notatla.demon.co.uk writes:
>> The session-key leakage is 24 bits (2^24=16777216).  If the same bogus
>> public key gets into wide circulation among L-Fortify users then the
>> NSA only has to compute 2^24 encryptions with that key and they are in
>> a position about as good as they already have.  This is a lookup table
>> that can be stored on a single disk even if it is stored in full which
>> should not be necessary.

>Happily, those 24 bits are padded with random data before encryption to
>prevent just such an attack.  The padding is sent encrypted so the WRF
>can be checked on receipt.

>I don't have the skills for poring through binaries reversing tests.
>Crackers who strip copy-protection mechanisms get very good at this sort
>of thing, though programmers are also getting good at making the
>cracker's job harder with some obfuscation tricks.  If there's code for
>checking the integrity of the public key, I'm going to be straight out of
>my depth.

>Can anyone think of a way of confirming a guess at which bit of the
>binary might be the public key more efficient than changing it and seeing
>what breaks?  Notes is so full of bugs that it would be hard to  tell
>whether a particular change had introduced one.  Where might I find
>documentation of the Notes encrypted message format such that I can see
>whether a given change affects the WRF?

While this seems like an interesting project, whouldn't the user community
be better served if one just wrote a PGP plug-in for Notes? I am not a
Notes user so I am not sure if we are talking document encryption or
client/server communication encryption. If it is the second, a ssh tunnel
should work.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i OS/2 for non-commercial use
Comment: Registered_User_E-Secure_v1.1b1_ES000000
Charset: cp850

wnUDBQE3XL+p0fdTsSGZnTUBAcNFAv0VuwNidJrBzWalB/hYZ6HthrfFE1HFn7Go
yfA6btF9L7UBWQH3muEeXiIrmQ89J3jjvFuGwysc9q/ivqCePcOqJde9qikqzDQe
ONxlsGUmyxBJ3w9KBWvrnFuKyfVVLmM=
=qEIL
-----END PGP SIGNATURE-----